Re: *****SPAM***** Re: [Thinkpad] List issues RBL?

From: Justin F. Knotzke <jknotzke_at_shampoo.ca>
Date: Wed Sep 03 2003 - 18:43:10 EDT

<quote who=David Ross date=[030903 16:41]/>

> This is correct, and important. Last year a spammer used an Earthlink relay
> to send out ads with my address spoofed in the reply field,
> I contacted Earthlink and while they wouldn't close the SMTP relay
> altogether (I still don't know why not), they did block outgoing email with
> the math.hawaii.edu origin for me.

        Are we talking about spoofed IP packet headers in the datagram or
spoofed headers in the mail?

    A closed MTA should accept mail from any valid address (on their
network or not) going to any valid address as long as that address is
within their subnet or listed in the accepted relay subnet.

    An open MTA will accept mail from anywhere. Period.

    If we are talking about spoofed headers in terms of RCPT then the
only condition be that the recieving MTA do a call back to make sure
that address is in fact valid. Some MTA's do, others don't. But either
way, this has no bearing on the MTA being an open relay or not.

    A spammer will normally spoof where the mail comes from in terms of
the route that mail took and in terms of who sent the mail.

        If we are talking about spoofed IP's in its usual usage then we are
talking about a case whereby the sender fakes the IP header in the
datagram which the sender is coming from. This isn't a question of
faking a header in the mail. This is a question of faking the actual IP
header; something which is much more difficult to do.

        http://www.freesoft.org/CIE/Course/Section3/7.htm

    Spoofed headers are normal. Spammers use them all the time.

    Spoofed IP's in regards to how I mentioned them are rare because it
requires:

    i) That the spammer knows what the relay subnet list is.
   ii) Be smart enough to know how to actually spoof this address.
  iii) Be lucky enough to not meet a firewall before getting to the MTA

   Given i, ii and iii a spammer will normally just go after the Open
Relay or possibly setup a few Zombie MTA's.

   J. 

-- 
Justin F. Knotzke
jknotzke@shampoo.ca
http://www.shampoo.ca
_______________________________________________
Thinkpad mailing list
Thinkpad@stderr.org
http://stderr.org/cgi-bin/mailman/listinfo/thinkpad
Received on Wed Sep 3 18:49:50 2003

This archive was generated by hypermail 2.1.8 : Fri May 26 2006 - 16:01:15 EDT