ietf-smtp
[Top] [All Lists]

Re: Site policy vs. HELO

2005-03-09 04:35:54


----- Original Message -----
From: "Bruce Lilly" <blilly(_at_)erols(_dot_)com>
To: <ietf-smtp(_at_)imc(_dot_)org>
Sent: Tuesday, March 08, 2005 6:13 PM
Subject: Re: Site policy vs. HELO


This particular problem didn't begin a day, a week, or a month ago.
The first excerpt that I provided today was from 21 Oct 2004, 11:29
EDT.  And that wasn't the first time.

Well I'll be a MONKEY'S UNCLE!

Oh Bruce,  you were BLACK LISTED!!!  TWITTED from sending into our system
with your erols.com domain.

File: wc:\data\ValidateMailFrom.txt
[1    ] reject erols.com
End of File

Case close!

Lets see whats the file date is.... Aug 27 2003.

I knew there was a reason for all this.  I dont' remember why but I must of
got tired of you harassing me at the time sending duplicate messages to me
and the various IETF mailing list.  Let me see what my MUA logs show for
that time frame... Yup. some stupid thread about MUAs and you were all over
my face sending duplicate messages.  In fact, I found a draft email that I
never bother to post that informs you that you were twritted!

Like I said, there is a reason for everything.  Nothing to do with protocols
or its reliability. In fact, it was a 100% trusted result.

How did I find this?

In reality, what happen here was that the wc:\data\validateMailFrom.txt
filter file was deprecated but still available for backward compatibility.
Filtering is done via a p-code subprocess called wcSAP and the time frame
matches.  The WCSAP project started back in July 2003 time frame as shown by
our stats collection at http://www.winserver.com/spamstats.    I never
bothered to delee the old filter file.

I did a thorough examination of all your transactions since Oct 21 2004 and
I found it odd that the "Return Path Not Verified" response code did not
have a reason in the log.  Well, the source code has it to intentionally
hide the reason from you.

    if ((EnableMailFromFilter == 1) && !IsUserAuthorized) {
        DWORD retcode = 550; // was 552; 03/11/04 08:43 pm
        spfcode = SPF_SKIPPED;       // 450.9b15
        CString sResponse = "";  // 450.9b12b
        if (!ValidateReturnPath("mail",
                                 CallerInfo.szMailFrom,
                                 "",
                                 retcode,
                                 spfcode,
                                 sResponse)) {
            // 450.9b13
            int wcxret = SendWcxResponse();
            if (wcxret == 0) {
                // response not sent: hide reason from sender
                Send("%d Return Path not verifiable.\r\n",retcode);
            }
            //
            CString sLine = "";
            if (!sResponse.IsEmpty()) sLine += " ("+sResponse+")";
            smtplog("MAIL: Return Path not verifiable:
%s%s!",CallerInfo.szMailFrom,sLine);
            ResetState();
            return TRUE;
        }
    }

ValidateReturnPath first check the old validatemailfrom.txt file and then
spawns wcSAP.  wcSAP never ran which is why I never saw a log entry.  So I
had to find out why it didn't run.  The old filter file explained it!

wcSAP is our main AVS system and I don't mind saying it is the BEST out
there. That said, it simply uses strict SMTP compliancy as the basis of the
package.  Here is an example of a wcSAP rejection with a reason recorded on
the server-side.  We still don't send reasons for the sender.

**************************************************************************
Wildcat! SMTP Server v6.0.451.2
SMTP log started at Tue, 19 Oct 2004  23:33:17
Connection Time: 20041019 23:33:17  cid: 0001F991
SSL Enabled: NO
Client IP: 66.219.102.202 (unknown)
23:33:17 S: 220-winserver.com Wildcat! ESMTP Server v6.0.451.2 ready
23:33:17 S: 220-************** WARNING:  FOR AUTHORIZED USE ONLY!
**********************
23:33:17 S: 220-* THIS SYSTEM DO NOT AUTHORIZE THE USE OF ITS PROPRIETARY
COMPUTERS    *
23:33:17 S: 220-* AND COMPUTER NETWORKS TO ACCEPT, TRANSMIT, OR DISTRIBUTE
UNSOLICITED *
23:33:17 S: 220-* BULK E-MAIL SENT FROM THE INTERNET. THIS SYSTEM WILL
RESTRICT ACCESS *
23:33:17 S: 220-* TO CAN-SPAM (US S. 877) COMPLIANT CLIENTS ONLY.
*
23:33:17 S: 220
************************************************************************
23:33:18 C: HELO 202box.abscat.com
23:33:18 S: 250 winserver.com, Pleased to meet you.
23:33:18 C: MAIL
FROM:<healthcare-andrea(_dot_)santos=santronics(_dot_)com(_at_)healthweb77(_dot_)com>
23:33:18 S: 250 
<healthcare-andrea(_dot_)santos=santronics(_dot_)com(_at_)healthweb77(_dot_)com>...
Sender validation pending. Continue.
23:33:18 C: RCPT TO:<andrea(_dot_)santos(_at_)santronics(_dot_)com>
23:33:45 ** WCX Process: wcsap  ret: 550 (Rejected by WCSAP CBV)
23:33:45 S: 550 Return Path not verifiable.
23:33:45 C: QUIT
23:33:45 S: 221 closing connection

By taking the CID (connnection ID) 0001F991, we can look at the wcSAP log
for the details:

20041019 23:33:18 0001f991 -------------------------------------
20041019 23:33:18 0001f991 version    : 2.01 / 1.60
20041019 23:33:18 0001f991 calltype   : SMTP
20041019 23:33:18 0001f991 state      : rcpt
20041019 23:33:18 0001f991 srvdom     : winserver.com
20041019 23:33:18 0001f991 srvip      : 208.247.131.9
20041019 23:33:18 0001f991 cip        : 66.219.102.202
20041019 23:33:18 0001f991 cdn        : 202box.abscat.com
20041019 23:33:18 0001f991 from       :
<healthcare-andrea(_dot_)santos=santronics(_dot_)com(_at_)healthweb77(_dot_)com>
20041019 23:33:18 0001f991 rcpt       : 
<andrea(_dot_)santos(_at_)santronics(_dot_)com>
20041019 23:33:18 0001f991 testorder  : FLT RBL SPF CEP CBV
20041019 23:33:18 0001f991 sapfilter  : pass (time:62)

You passed the whiite/black list test

20041019 23:33:18 0001f991 saprbl     : testing
202.102.219.66.sbl.spamhaus.org
20041019 23:33:23 0001f991 saprbl     : testing 202.102.219.66.list.dsbl.org
20041019 23:33:26 0001f991 saprbl     : testing
202.102.219.66.bl.spamcop.net
20041019 23:33:27 0001f991 saprbl     : pass (time:9531)

You passed the RBL test.

20041019 23:33:29 0001f991 sapspf     : none (time:1360)

You have no SPF record

20041019 23:33:29 0001f991 sapcep     : test from=healthweb77.com
20041019 23:33:39 0001f991 sapcep     : test cdn=202box.abscat.com
20041019 23:33:40 0001f991 sapcep     : none (time:11297)

Nor do you have a Microsoft CallerID record.  We need to decprecate this
junk. Note the overhead time!

Now it begins the CBV and all we want to know is whether that address is
verifiable and we do a small test for a open relay.

20041019 23:33:41 0001f991 sapcbv     : total mx records: 1
20041019 23:33:41 0001f991 try mx     : mx.healthweb77.com ip:
66.111.217.120
20041019 23:33:41 0001f991 # connecting to 66.111.217.120
20041019 23:33:41 0001f991 S: 220 shadyweasel.com ESMTP
20041019 23:33:41 0001f991 C: NOOP WCSAP v2.01 Wildcat! Sender
Authentication Protocol http://www.santronics.com
20041019 23:33:45 0001f991 S: 250 ok
20041019 23:33:45 0001f991 C: HELO mail.winserver.com
20041019 23:33:45 0001f991 S: 250 shadyweasel.com
20041019 23:33:45 0001f991 C: MAIL FROM: <>
20041019 23:33:45 0001f991 S: 250 ok
20041019 23:33:45 0001f991 C: RCPT TO:
<healthcare-andrea(_dot_)santos=santronics(_dot_)com(_at_)healthweb77(_dot_)com>
20041019 23:33:45 0001f991 S: 553 sorry, that domain isn't in my list of
allowed rcpthosts (#5.7.1)
20041019 23:33:45 0001f991 C: QUIT
20041019 23:33:45 0001f991 sapcbv     : 553
20041019 23:33:45 0001f991 result     : reject (0)
20041019 23:33:45 0001f991 smtp code  : 550
20041019 23:33:45 0001f991 reason     : Rejected by WCSAP CBV
20041019 23:33:45 0001f991 wcsap finish (27109 msecs)
20041019 23:38:05 0001f9ae -------------------------------------

The CBV in the above case rejected the address. Therefore the final
transaction response is a rejection Period.

If the remote host accepted the address, we do a small test of a random
address to see if this is accepted too.  If so, the transaction is rejected
as a open relay site.

Here is an example of such a test, ironically with your boy Keith:

20041019 16:29:29 0001eb60 -------------------------------------
20041019 16:29:29 0001eb60 version    : 2.01 / 1.60
20041019 16:29:29 0001eb60 calltype   : SMTP
20041019 16:29:29 0001eb60 state      : rcpt
20041019 16:29:29 0001eb60 srvdom     : winserver.com
20041019 16:29:29 0001eb60 srvip      : 208.247.131.9
20041019 16:29:29 0001eb60 cip        : 160.36.56.50
20041019 16:29:29 0001eb60 cdn        : klutz.cs.utk.edu
20041019 16:29:29 0001eb60 from       : <moore(_at_)cs(_dot_)utk(_dot_)edu>
20041019 16:29:29 0001eb60 rcpt       : 
<winserver(_dot_)support(_at_)winserver(_dot_)com>
20041019 16:29:29 0001eb60 ruid       : 228761
20041019 16:29:29 0001eb60 testorder  : FLT RBL SPF CEP CBV
20041019 16:29:29 0001eb60 sapfilter  : pass (time:78)
20041019 16:29:29 0001eb60 saprbl     : testing
50.56.36.160.sbl.spamhaus.org
20041019 16:29:34 0001eb60 saprbl     : testing 50.56.36.160.list.dsbl.org
20041019 16:29:36 0001eb60 saprbl     : testing 50.56.36.160.bl.spamcop.net
20041019 16:29:37 0001eb60 saprbl     : pass (time:7781)
20041019 16:29:38 0001eb60 sapspf     : none (time:1078)
20041019 16:29:38 0001eb60 sapcep     : test from=cs.utk.edu
20041019 16:29:39 0001eb60 sapcep     : test cdn=klutz.cs.utk.edu
20041019 16:29:41 0001eb60 sapcep     : none (time:2938)
20041019 16:29:46 0001eb60 sapcbv     : total mx records: 1
20041019 16:29:46 0001eb60 try mx     : smtp.cs.utk.edu ip: 160.36.56.154
20041019 16:29:46 0001eb60 # connecting to 160.36.56.154
20041019 16:29:46 0001eb60 S: 220 klutz.cs.utk.edu ESMTP Postfix
20041019 16:29:46 0001eb60 C: NOOP WCSAP v2.01 Wildcat! Sender
Authentication Protocol http://www.santronics.com
20041019 16:29:46 0001eb60 S: 250 Ok
20041019 16:29:46 0001eb60 C: HELO mail.winserver.com
20041019 16:29:46 0001eb60 S: 250 klutz.cs.utk.edu
20041019 16:29:46 0001eb60 C: MAIL FROM: <>
20041019 16:29:47 0001eb60 S: 250 Ok
20041019 16:29:47 0001eb60 C: RCPT TO: <moore(_at_)cs(_dot_)utk(_dot_)edu>
20041019 16:29:47 0001eb60 S: 250 Ok
20041019 16:29:47 0001eb60 C: RCPT TO:
<wcsap-openrelay-test-123sxa23(_at_)alqwejad(_dot_)com>
20041019 16:29:47 0001eb60 S: 554
<wcsap-openrelay-test-123sxa23(_at_)alqwejad(_dot_)com>: Relay access denied
20041019 16:29:47 0001eb60 C: QUIT
20041019 16:29:47 0001eb60 sapcbv     : 250
20041019 16:29:47 0001eb60 result     : accept (-1)
20041019 16:29:47 0001eb60 wcsap finish (18343 msecs)
20041019 16:35:46 0001eb9d -------------------------------------

In this case, keith's server complied.  Its not an open relay site.

PS: I removed your black list status.

Hector Santos, CTO
Santronics Software, Inc.
http://www.santronics.com
305-431-2846 Cell
305-248-3204 Office











<Prev in Thread] Current Thread [Next in Thread>