[Top] [All Lists]

Re: Bounce/System Notification Address Verification

2005-06-29 19:19:31

From: "Robert A. Rosenberg" <hal9001(_at_)panix(_dot_)com>

 Valdis Wrote:

 would allow a spammer to send you a MAIL FROM/RCPT TO on a
 first connection, then once the callback shows up, use *that*
 information to create what looks like a "callback to a callback",
 but proceed to the DATA step. Whoops.. ;)

Hector asked:
You are going to have to explain that line of thought..

Since we were talking about the Verizon CBV, that Mail From will be
from <antispam579542(_at_)west(_dot_)verizon(_dot_)net so the spammer will do 
his CBV
to that address. The correct response (as I noted) by Verizon would
be to send a "Valid Address" response back. If this was real CBV, the
next step would be a QUIT (to drop the connection). Since we are
seeing what would occur since we are a spammer, a DATA is sent
instead. In that case, Verizon SHOULD respond by dropping the
connection (or sending a rejection code reply and drop the connection
if the next response is not QUIT or RSET).


This is special alias CBV address specific for Verizon's CBV implementation
which will not allow the state flow to reach the DATA point.

But why would a spammer do this?

It doesn't have to.  Just issue the 250 response to this   "antispamxxxx"
alias check which is only done when the first NULL return path RCPT TO check
produces a negative response.

If MailPass uses the 250 as an accept, then the spammer passes the test. No
need to do the CBV on the "antispamxxxxx".


I don't know the full MailPass logic here.   I will like to find out what
the complete logic here.

Btw, is this a commercial product? I can't find any central place on the net
for this server.

I am trying to find my notes on another vendor that offers an API for CBV,
but what I found interesting with this one is how it uses NOOP with session
hash values.

Hector Santos, Santronics Software, Inc.

<Prev in Thread] Current Thread [Next in Thread>