Slightly OT: sfm-sav milter

Michael Baird mike at tc3net.com
Sat Dec 2 02:20:54 GMT 2006 

I have the address verification code only, which gives a step through of
an individual address for smf-sav. You can run it via the command line
and it will echo all the test. If someone wants a URL to it, mail me off
list. It only checks MX records, in my experience.

For Example

./sav burlkevin_miller at ci.juneau.ak.us
SAV v1.3.0 (C) 2005, 2006 by Eugene Kurmanin - http://smfs.sf.net/
ci.juneau.ak.us is handled (pri=10): mxg.ci.juneau.ak.us
ci.juneau.ak.us is handled (pri=15): mx2.ci.juneau.ak.us
ci.juneau.ak.us is handled (pri=20): mxl.ci.juneau.ak.us
Connecting to: mxg.ci.juneau.ak.us.
Could not connect to: mxg.ci.juneau.ak.us., Operation now in progress
Connecting to: mx2.ci.juneau.ak.us.
Connected to: mx2.ci.juneau.ak.us.
<<< 220 mx2.ci.juneau.ak.us ESMTP Sendmail 8.13.4/8.13.4/SuSE Linux 0.7;
Fri, 1
Dec 2006 17:13:40 -0900
>>> HELO yourhost.yourdomain.tld
<<< 250 mx2.ci.juneau.ak.us Hello mx2.tc3net.com [64.112.192.3], pleased
to meet
you
>>> MAIL FROM:<>
<<< 250 2.1.0 <>... Sender ok
>>> RCPT TO:<burlkevin_miller at ci.juneau.ak.us>
<<< 550 5.1.1 <burlkevin_miller at ci.juneau.ak.us>... Sorry, no mailbox
here by th
at name or mailbox is over quota
>>> RSET
<<< 250 2.0.0 Reset state
>>> MAIL FROM:<postmaster at yourdomain.tld>
<<< 553 5.1.8 <postmaster at yourdomain.tld>... Domain of sender address
postmaster
@yourdomain.tld does not exist
>>> RSET
<<< 250 2.0.0 Reset state
>>> QUIT
<<< 221 2.0.0 mx2.ci.juneau.ak.us closing connection
burlkevin_miller at ci.juneau.ak.us: Sender address verification failed.
Completed in 72 sec.


Regards
Michael Baird

> Actually smf-sav is SUPPOSE to do an mx lookup (and the code is in 
> there) to do the sender verification.
> 
> I've tested this and it works on mine. Since so many large ISPs (and 
> myself) don't send and receive from the same server and the sending 
> server doen't actually know the recipients it would break sav if it 
> didn't do the mx lookup.
> 
> Normally smf-sav does mx lookups of the mail-from and uses the 
> mailertable to do the rcpt-to lookup.
> 
> 
> On Fri, 1 Dec 2006 13:23:46 -0900
>   "Kevin Miller" <Kevin_Miller at ci.juneau.ak.us> wrote:
> >I just posted the following to the smf-sav list, but thought I'd give
> >folks here a heads up too, since I know some are using smf-sav 
> >milter...
> >
> >===========
> >The spammers are up to their old tricks apparently.  I noticed this 
> >in
> >my logs today:
> >
> >-------------------------------------------------
> >Nov 30 19:06:23 mx2 smf-sav[22911]: sender check succeeded:
> ><burlkevin_miller at ci.juneau.ak.us>, 124.120.38.30,
> >ppp-124.120.38.30.revip2.asianet.co.th, [00:00:03]
> >Nov 30 19:06:24 mx2 smf-sav[22911]: recipient check failed:
> ><burlkevin_miller at ci.juneau.ak.us>, 124.120.38.30,
> >ppp-124.120.38.30.revip2.asianet.co.th,
> ><burlkevin_miller at ci.juneau.ak.us>, [00:00:00]
> >-------------------------------------------------
> >
> >There are numerous entries where they use some phoney address as the
> >from=, which generally fail.  I guess they figured they'd have a 
> >better
> >chance of getting their spam through if they forged an address from 
> >my
> >domain, but configured their server to verify it.
> >
> >There's nobody here called burlkevin_miller at ci.juneau.ak.us (as
> >evidenced by the recipient check failing) so they must be configuring
> >their server to validate the address during the callback.  I'm not 
> >sure
> >how the callback works; apparently it just queries the server that is
> >attempting to send rather than looking up the valid mx servers in DNS
> >and querying them which might be a better way to do the sender
> >verifications.  I don't know what that would do to overhead or if it
> >would break any rules.
> >
> >If the spammer used both a valid sender and recipient id their spam
> >would get through (although most likely it would then be caught by 
> >other
> >spam filters).  This may be a case of spam being reflected off a 
> >valid
> >domain instead of actually being targeted to me.  Who knows?
> >
> >At any rate, it seems the spammers have figured out a way to spoof
> >sender verification.  It's a sure thing I don't have any email 
> >servers
> >in asia...
> >
> >...Kevin
> >-- 
> >Kevin Miller                Registered Linux User No: 307357
> >CBJ MIS Dept.               Network Systems Admin., Mail Admin.
> >155 South Seward Street     ph: (907) 586-0242
> >Juneau, Alaska 99801        fax: (907 586-4500
> >  
> >-- 
> >MailScanner mailing list
> >mailscanner at lists.mailscanner.info
> >http://lists.mailscanner.info/mailman/listinfo/mailscanner
> >
> >Before posting, read http://wiki.mailscanner.info/posting
> >
> >Support MailScanner development - buy the book off the website! 
> 
> 
> --------------------------------------------------
> Dennis Willson
> 
> taz at taz-mania.com
> http://www.taz-mania.com
> 
> Ham (Extra Class): ka6lsw
> Scuba: Rescue Diver, EANx, Wreck, Night, Alt, Equip, UW Photographer, 
> Gas Blender
> 
> Owner: Kepnet Internet Services
> 
> Life should not be a journey to the grave with the intention of 
> arriving safely in a nice looking and well preserved body, but rather 
> to skid in broadside, thoroughly used up, totally worn out, and loudly 
> proclaiming, "WOW! WHAT A RIDE!"

More information about the MailScanner mailing list