For those of us that feel strongly that email should be a reliable transport medium.

Kevin Spicer kevins at BMRB.CO.UK
Tue Feb 10 23:33:45 GMT 2004


On Tue, 2004-02-10 at 20:56, Julian Field wrote:
> But in the meantime, does anyone have any good ideas for a happy medium,
> such as enabling it but not documenting it, or producing a nasty log
> message if it is used, or something like that?
> All constructive ideas are most welcome.
Personally I'm happy to see it left off - but in the interests of
debate, four points (1 long 3 short)

First point...
There are a number of spamassassin tests that spot mail with forged
headers (maybe not all of them - but a fair few).  The introduction of
SPF support in SA2.70 should also help with spotting some forged mail
(especially if AOL continue to use it) [I don't want to get into another
debate about the merits or otherwise of SPF - but can we agree for sites
that choose to use SPF it should be a useful indicator for modifying
SpamAssassin scores...]

Simply checking for the presence of these indicators (or even the total
score contributed by those tests) in the spamassassin report would help
to determine whether a source is probably spoofed. Then the bounce
option could only be applied to those that are not obviously false.

Additionally the  triggering of DCC or pyzor tests is also a good
suggestion of whether it is worthwhile bouncing a mail.

I'm not sure offhand exactly what tests SA does, but some obvious ideas
spring to mind, which could perhaps be implemented in SA rules.//

The mail originates from one of the 'senders' MX's  (good indicator that
the domain at least is likely not forged - unless its an open relay!)
The mail originates from a host in the same class C as one of the
'senders' MX's
A reverse lookup on the senders IP gives a hostname in the same domain.

NOTE that I'm not saying that any of these are hard and fast indicators
or forged addresses (they all have flaws) but as part of a spamassassin
ruleset they may be helpful.
Certainly where spamassassin detects that headers are forged there is no
excuse for bouncing the mail(?)


Second point - Admins who do bounce mail should - at the very least -
ensure that the mail they wish to bounce was originally addressed to a
valid user.  I'll be posting something to the FAQ soon describing a
method of doing this for those using sendmail to relay to exhange.

Third (contentious) point - Of course this is one benefit of a milter
(but lets not start that debate!), I choose not to use a milter, but
then I don't bounce spam.

Fourth (really contentious) point - Maybe its about time someone started
an RBL for mindless autoresponders?

/ducks

Kevin




BMRB International
http://www.bmrb.co.uk
+44 (0)20 8566 5000
_________________________________________________________________
This message (and any attachment) is intended only for the
recipient and may contain confidential and/or privileged
material.  If you have received this in error, please contact the
sender and delete this message immediately.  Disclosure, copying
or other action taken in respect of this email or in
reliance on it is prohibited.  BMRB International Limited
accepts no liability in relation to any personal emails, or
content of any email which does not directly relate to our
business.



More information about the MailScanner mailing list