ietf-mta-filters
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

network extension proposal

1999-02-17 02:48:07
from [Steve Simitzis] [Permanent Link] 
It has been necessary in our spam blocking efforts to write code that allows
our MTA to filter against the HELO string, the hostname, and IP address of 
the remote mail host during an SMTP transaction. 

To support this with a sieve implementation, I propose the "network" test. 
This would be used to define filter rules that test the remote relay's 
network identity.


Examples:

1) Spammers frequently send invalid or forged HELO strings (such as: 
HELO www.hotmail.com).

2) Some IP addresses and netblocks are known to be operated by spammers.
It might also be interesting to have the ability to do RBL checking.

3) Some patterns of hostnames are known to be dial-in users (example:
dial-in-pool*.*.isp.net), and thus should not be allowed to connect
to an inbound SMTP server (depending on the site's policy).


This test would be similar to the header test:

if network :is "ipaddr" "192.168.10.4"
   {
      keep; # if our IP address is the same as 192.168.10.4
   }

if network :contains "ipaddr" "192.168.10.0/24"
   {
      keep; # if our IP address falls in the 192.168.10.0/24 network
   }

if network :contains "hostname" "evil.com"
   {
      discard; # for all hosts in the evil.com domain.
   }

if network :is "helo" "www.hotmail.com"
   {
      discard; # for all forged HELO strings using www.hotmail.com
   }


Although I haven't fully thought this through, I could envision a
possible RBL extension to look like:

if network :contains "ipaddr" "rbl"
   {
      fileinto "spam"; # if this IP address is in the RBL.
   }

The sieve implementation would know how to contact an RBL server. 
Typically, the value of the TXT record could be tossed.


The ability to filter messages based on their origin (or supposed
origin) would allow for powerful spam filtering techniques. Please let
me know if this sounds useful. I can write this up more formally, if
there is any interest.

Steve

-- 
Steve Simitzis : steve(_at_)saturn5(_dot_)com || 
steve(_at_)criticalpath(_dot_)net : "Hup!" - R.Crumb
 \ simitzis /sim' - i - jees/ (n) an unpronounceable string of random letters /
    \ Critical Path : saturn5 Productions : hath the daemon spawn no fire? /
       \ operators are standing by : 415-282-9979 (h) 415-808-8725 (w) /
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Feedback on the document structure, Steve Hole
Next by Date:  Re: sieve-06bis, Michael Salmon
Previous by Thread:  I-D Deadline Approaching, Tim Showalter
Next by Thread:  Re: network extension proposal, J.D. Falk
Indexes:  [Date] [Thread] [Top] [All Lists]