[65551] in North American Network Operators' Group
Re: incorrect spam setups cause spool messes on forwarders
daemon@ATHENA.MIT.EDU (Suresh Ramasubramanian)
Tue Dec 2 09:38:31 2003
Date: Tue, 02 Dec 2003 09:37:06 -0500
From: Suresh Ramasubramanian <suresh@outblaze.com>
To: Valdis.Kletnieks@vt.edu
Cc: Michael.Dillon@radianz.com, nanog@merit.edu
In-Reply-To: <200312021432.hB2EWpLB005836@turing-police.cc.vt.edu>
Errors-To: owner-nanog-outgoing@merit.edu
Valdis.Kletnieks@vt.edu writes on 12/2/2003 9:32 AM:
> On Tue, 02 Dec 2003 19:23:41 +0800, Suresh Ramasubramanian <suresh@outblaze.com> said:
>
>
>>What they are trying to do is to connect back to email.com's MXs and ensure
>>that the user <sgswretyshsdhtest@email.com> who is trying to send them mail
>>really does exist, and is not just a figment of some spambot's imagination.
>
>
> And they tell that how, exactly, given that many sites do NOT allow VRFY or EXPN?
MAIL FROM: RCPT TO: QUIT: is precisely what they are doing.
Nobody except spammers / dictionary attackers seem to VRFY these days
for this sort of stuff. In fact grepping your logs for VRFY is often a
reliable sign of a dictionary attack on your machines.
> I suppose they could do a MAIL FROM/RCPT TO pair, look at the result, and
> QUIT instead of DATA. Of course, that would be silly, because if it ever ran
> into another site that tried the same thing, that site would try to call back
> and do a MAIL FROM/RCPT TO...
MAIL FROM: <> typically, or from a sender that does not return callbacks
to it ... so no danger of loops getting set up. Thank God for small
mercies, I guess.
srs
--
srs (postmaster|suresh)@outblaze.com // gpg : EDEDEFB9
manager, outblaze.com security and antispam operations
