ietf-mxcomp
[Top] [All Lists]

Re: Can you ever reject mail based on RFC2821 MAIL FROM?

2004-04-26 17:23:00


----- Original Message ----- 
From: "Harry Katz" <hkatz(_at_)exchange(_dot_)microsoft(_dot_)com>
To: "Pete Resnick" <presnick(_at_)qualcomm(_dot_)com>; 
<ietf-mxcomp(_at_)imc(_dot_)org>
Sent: Monday, April 26, 2004 3:15 PM
Subject: RE: Can you ever reject mail based on RFC2821 MAIL FROM?

I really wish it were possible to reject reliably on a spoof check of
MAIL FROM, but it just isn't folks.  It just isn't.

Hmmmmm, just today I got  20+ MAIL FROM rejects,  here are just two of them.

20040426 00:22:05 -------------------------------------
20040426 00:22:05 version    : 1.62 / 1.54
20040426 00:22:05 calltype   : SMTP
20040426 00:22:05 state      : rcpt
20040426 00:22:05 srvdom     : winserver.com
20040426 00:22:05 srvip      : 208.247.131.9
20040426 00:22:05 cip        : 24.232.124.14
20040426 00:22:05 cdn        : eltrueno
20040426 00:22:05 from       : <user2004k(_at_)fibertel(_dot_)com(_dot_)ar>
20040426 00:22:05 rcpt       : <andrea(_dot_)santos(_at_)santronics(_dot_)com>
20040426 00:22:05 testorder  : FLT RBL SPF CEP CBV
20040426 00:22:05 sapfilter  : pass (time:31)
20040426 00:22:05 saprbl     : testing 14.124.232.24.sbl.spamhaus.org
20040426 00:22:06 saprbl     : testing 14.124.232.24.list.dsbl.org
20040426 00:22:08 saprbl     : testing 14.124.232.24.bl.spamcop.net
20040426 00:22:09 saprbl     : pass (time:3500)
20040426 00:22:10 sapspf     : none (time:1234)
20040426 00:22:10 sapcep     : test from=fibertel.com.ar
20040426 00:22:11 sapcep     : test cdn=eltrueno
20040426 00:22:12 sapcep     : none (time:2328)
20040426 00:22:17 sapcbv     : total mx records: 1
20040426 00:22:17 try mx     : mail.fibertel.com.ar ip: 24.232.0.160
20040426 00:22:17 # connecting to 24.232.0.160
20040426 00:22:31 S: 220 mail.fibertel.com.ar ESMTP Service (7.0.019) ready
20040426 00:22:31 C: NOOP WCSAP v1.62 Wildcat! Sender Authentication
Protocol http://www.santronics.com
20040426 00:22:31 S: 501 Syntax error on NOOP command
20040426 00:22:31 C: HELO mail.winserver.com
20040426 00:22:31 S: 250 mail.fibertel.com.ar
20040426 00:22:31 C: MAIL FROM: <>
20040426 00:22:31 S: 250 MAIL FROM:<> OK
20040426 00:22:31 C: RCPT TO: <user2004k(_at_)fibertel(_dot_)com(_dot_)ar>
20040426 00:22:36 S: 550 RCPT TO:<user2004k(_at_)fibertel(_dot_)com(_dot_)ar> 
User unknown
20040426 00:22:36 C: QUIT
20040426 00:22:37 sapcbv     : 550
20040426 00:22:37 result     : reject (0)
20040426 00:22:37 smtp code  : 550
20040426 00:22:37 reason     : Rejected by WCSAP CBV
20040426 00:22:37 wcsap finish (31500 msecs)

20040426 18:40:32 -------------------------------------
20040426 18:40:32 version    : 1.62 / 1.54
20040426 18:40:32 calltype   : SMTP
20040426 18:40:32 state      : rcpt
20040426 18:40:32 srvdom     : winserver.com
20040426 18:40:32 srvip      : 208.247.131.9
20040426 18:40:32 cip        : 167.1.160.100
20040426 18:40:32 cdn        : ggnatl5ms9x0381.com
20040426 18:40:32 from       : <astarry(_at_)ix(_dot_)netcom(_dot_)com>
20040426 18:40:32 rcpt       : <andrea(_dot_)santos(_at_)santronics(_dot_)com>
20040426 18:40:32 testorder  : FLT RBL SPF CEP CBV
20040426 18:40:32 sapfilter  : pass (time:31)
20040426 18:40:32 saprbl     : testing 100.160.1.167.sbl.spamhaus.org
20040426 18:40:32 saprbl     : testing 100.160.1.167.list.dsbl.org
20040426 18:40:32 saprbl     : testing 100.160.1.167.bl.spamcop.net
20040426 18:40:32 saprbl     : pass (time:0)
20040426 18:40:33 sapspf     : none (time:1094)
20040426 18:40:33 sapcep     : test from=ix.netcom.com
20040426 18:40:33 sapcep     : test cdn=ggnatl5ms9x0381.com
20040426 18:40:39 sapcep     : none (time:5250)
20040426 18:40:39 sapcbv     : total mx records: 5
20040426 18:40:39 try mx     : mx8.earthlink.net ip: 207.217.125.23
20040426 18:40:39 # connecting to 207.217.125.23
20040426 18:40:39 S: 220 mamo EL_3_9_13_6 /EL_3_9_13_6  ESMTP EarthLink SMTP
Server Mon, 26 Apr 2004 15:37:51 -0700 (PDT)
20040426 18:40:39 C: NOOP WCSAP v1.62 Wildcat! Sender Authentication
Protocol http://www.santronics.com
20040426 18:40:39 S: 250 ok
20040426 18:40:39 C: HELO mail.winserver.com
20040426 18:40:39 S: 250 mamo Hello mail.winserver.com [208.247.131.9],
please to meet you
20040426 18:40:39 C: MAIL FROM: <>
20040426 18:40:39 S: 250 <>... Sender ok
20040426 18:40:39 C: RCPT TO: <astarry(_at_)ix(_dot_)netcom(_dot_)com>
20040426 18:40:39 S: 550 
astarry(_at_)ix(_dot_)netcom(_dot_)com(_dot_)(_dot_)(_dot_)User unknown
20040426 18:40:39 C: QUIT
20040426 18:40:39 sapcbv     : 550
20040426 18:40:39 result     : reject (0)
20040426 18:40:39 smtp code  : 550
20040426 18:40:39 reason     : Rejected by WCSAP CBV
20040426 18:40:39 wcsap finish (7094 msecs)
20040426 18:40:45 -------------------------------------

Please note most of the time is taken up in RBL, LMAP based DNS lookup,  the
CBV took the lesser of all times. In the real world,  the odds are very high
you will not have SPF or CEP compliant domains.

You need to think outside the box, Harry.

-- 
Hector Santos, Santronics Software, Inc.
http://www.santronics.com






<Prev in Thread] Current Thread [Next in Thread>