Slightly OT: sfm-sav milter

Dennis Willson taz at taz-mania.com
Fri Dec 1 23:14:32 GMT 2006 

Actually smf-sav is SUPPOSE to do an mx lookup (and the code is in 
there) to do the sender verification.

I've tested this and it works on mine. Since so many large ISPs (and 
myself) don't send and receive from the same server and the sending 
server doen't actually know the recipients it would break sav if it 
didn't do the mx lookup.

Normally smf-sav does mx lookups of the mail-from and uses the 
mailertable to do the rcpt-to lookup.


On Fri, 1 Dec 2006 13:23:46 -0900
  "Kevin Miller" <Kevin_Miller at ci.juneau.ak.us> wrote:
>I just posted the following to the smf-sav list, but thought I'd give
>folks here a heads up too, since I know some are using smf-sav 
>milter...
>
>===========
>The spammers are up to their old tricks apparently.  I noticed this 
>in
>my logs today:
>
>-------------------------------------------------
>Nov 30 19:06:23 mx2 smf-sav[22911]: sender check succeeded:
><burlkevin_miller at ci.juneau.ak.us>, 124.120.38.30,
>ppp-124.120.38.30.revip2.asianet.co.th, [00:00:03]
>Nov 30 19:06:24 mx2 smf-sav[22911]: recipient check failed:
><burlkevin_miller at ci.juneau.ak.us>, 124.120.38.30,
>ppp-124.120.38.30.revip2.asianet.co.th,
><burlkevin_miller at ci.juneau.ak.us>, [00:00:00]
>-------------------------------------------------
>
>There are numerous entries where they use some phoney address as the
>from=, which generally fail.  I guess they figured they'd have a 
>better
>chance of getting their spam through if they forged an address from 
>my
>domain, but configured their server to verify it.
>
>There's nobody here called burlkevin_miller at ci.juneau.ak.us (as
>evidenced by the recipient check failing) so they must be configuring
>their server to validate the address during the callback.  I'm not 
>sure
>how the callback works; apparently it just queries the server that is
>attempting to send rather than looking up the valid mx servers in DNS
>and querying them which might be a better way to do the sender
>verifications.  I don't know what that would do to overhead or if it
>would break any rules.
>
>If the spammer used both a valid sender and recipient id their spam
>would get through (although most likely it would then be caught by 
>other
>spam filters).  This may be a case of spam being reflected off a 
>valid
>domain instead of actually being targeted to me.  Who knows?
>
>At any rate, it seems the spammers have figured out a way to spoof
>sender verification.  It's a sure thing I don't have any email 
>servers
>in asia...
>
>...Kevin
>-- 
>Kevin Miller                Registered Linux User No: 307357
>CBJ MIS Dept.               Network Systems Admin., Mail Admin.
>155 South Seward Street     ph: (907) 586-0242
>Juneau, Alaska 99801        fax: (907 586-4500
>  
>-- 
>MailScanner mailing list
>mailscanner at lists.mailscanner.info
>http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
>Before posting, read http://wiki.mailscanner.info/posting
>
>Support MailScanner development - buy the book off the website! 


--------------------------------------------------
Dennis Willson

taz at taz-mania.com
http://www.taz-mania.com

Ham (Extra Class): ka6lsw
Scuba: Rescue Diver, EANx, Wreck, Night, Alt, Equip, UW Photographer, 
Gas Blender

Owner: Kepnet Internet Services

Life should not be a journey to the grave with the intention of 
arriving safely in a nice looking and well preserved body, but rather 
to skid in broadside, thoroughly used up, totally worn out, and loudly 
proclaiming, "WOW! WHAT A RIDE!"

More information about the MailScanner mailing list