Blocking port 25! Now you're talking! My life would be so much easier. I
have a cutting-edge-of-techno-societal-evolution friend who has disabled his
email account opting to instruct people on how to send snail mail, drop by
his office or call him on the phone. But that is getting off on a tangent!
I guess my point is that if a host opened a connection to you, regardless of
whether or not it is an MX, it might have sendmail or some smtpd running
that could be probed. If your receiving MTA opened a connection back to it
and tested to see if the originating daemon would blindly accept email for
relay, then you might have a piece of useful information.
We get probed all the time from people attempting to relay through us. It
is impossible to tell how many of these are spammers looking for an open
relay, but I would guess that the number is non-zero. If we weren't
proactive, they might for instance find a department's Linux server (that
probably doesn't have an MX associated with it but thats beside the point).
That won't keep it from relaying mail.
If the department server was probed back, on an outgoing message by a
recipient host, the receiving machine might notice this and reject with
something like "550 Sorry, your sendmail daemon appears to be an open mail
relay. Please tell your administrators and we'll start accepting mail from
you again." If port 25 on the originating host doesn't answer the
connection back, the receiving machine should fail safe and just accept the
message.
So the only time the receiving host rejects the message is when the sending
*host* appears to blindly accept mail for relay.
Naturally there are configuration issues, such as which hosts you want to
probe and which are exempt. And you're right, you'd probably kill some
legit messages with friendly fire. But people can always call you in your
office, right? :)
-----Original Message-----
From: Keith Moore [mailto:moore(_at_)cs(_dot_)utk(_dot_)edu]
Sent: Tuesday, January 23, 2001 10:34 AM
To: Gwinn, Allen
Cc: ietf-822(_at_)imc(_dot_)org
Subject: Re: Statistics of "intelligence" in e-mail spams
This approach certainly isn't perfect. But simply opening a connection to
the sending host and checking RCPT TO:
<somewhere(_at_)your_own_domain(_dot_)whatever>,
looking for a 250 OK message before rejecting, then failing safe (i.e.
accepting anything where you can't connect to the host) might tend to slow
down a large hunk of spam.
Then blocking incoming traffic to port 25 would be even more effective.
It's simply incorrect to assume that the host that is sending you mail
is an authoritative MX for the domain that is sending you mail. If you
do this you will be causing a significant number of delivery failures
for legitimate mail.
Keith