PSE-L(_at_)mail(_dot_)professional(_dot_)org (Professional Software
Engineering) writes:
One solution (until the miscreants decide to rummage PCs looking for
login data) is for affected ISPs to start REQUIRING SMTP
authentication
This solution of smtp authentication assumes that creating accounts with
the given provider is secure against fraudulent signups. If fraudulent
account signups can be easily scripted/automated, then an smtp
authenticated server becomes a de facto open relay, since IP access from
external networks is usually not restricted (and usually enhanced via
listening on port 587 for access via external networks that block port
25). Whats more, this allows the possibility (and already practiced)
spamming vector of:
A) Spammer signs up fraudulent account
B) Spammer then spews from numerous zombie hosts through
provider's ASMTP rotor using fraudulent login, thus
continuing to leverage zombies for obfuscation of origin,
while at the same time capitalizing on the good
reputation/trust the provider has with other networks by
routing spam from:
'random zombie host' -> 'provider's ASMTP server' -> Internet
...which of course also avoids the traditional DNSBL's.
...and then there's always brute force attacks, which Alan Ralsky has
apparently been experimenting with since at least 2003. These avenues of
attack can be prevented if they're considered when implementing
authenticated SMTP, but that's unfortunately not the immediate reality.
- whereby you can send mail only if you authenticate to
the server. Of course, this doesn't stop someone from relaying mail
into a server for delivery INTO that server - even with SMTP auth on
the server, an earthlink customer could connect to an earthlink mail
server and (without authenticating) send spew to OTHER earthlink
customers.
unless the server were configured to recognize that the
sending host is within it's own user address space, and not an
external mail host of sorts (which wouldn't require auth, or they'd be
rejecting virtually all their mail).
This should only be possible for the relatively small number of ELNK
customer's that are on static hosts. EarthLink's inbound MX is kept on a
separate rotor from it's outbound SMTP/ASMTP rotors, and try to reject
all "direct-to-MX" connections from any dynamically assigned IP ranges
that it knows about, including it's own. Ideally it should be necessary
for Earthlink customer's to route through the provider's outbound SMTP
first (which will eventually be entirely authenticated SMTP) before mail
destined for other EarthLink addresses will successfully deliver --
although this isn't always the case, since the lists of known dynamic
pools is usually less than complete.
Regards,
Robert Arnold
____________________________________________________________
procmail mailing list Procmail homepage: http://www.procmail.org/
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail