procmail
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: New types of Trojans coming

2005-02-03 22:19:47
from [Curtis Maurand] [Permanent Link] 
R A Lichtensteiger wrote:


Curtis Maurand wrote:

{Edited to fix top posting}

<> R A Lichtensteiger wrote:
<>
<> >There are a number of fixes, of course:
<> >
<> > 1a. Separate your outgoing relays from your inbound MX hosts.
<> >     Some of the trojans do a PTR lookup on their address, then
<> >     an MX query on the forward zone.
<> > 1b. Configure your MX hosts to not accept mail from INSIDE your
<> >     network and configure your outbound relays to not accept mail
<> >     from OUTSIDE your network.
<> The problem with 1a and 1b is that some networks won't accept mail from <> non mx hosts. 

Curtis,

Are you referring to SPF or to the silliness that Verizon has
implemented? Or something else entirely?

SPF isn't constrained to MXes; you can "announce" any host as a valid
mail relay for your domain.

Verizon's probe back at the MX to see if the username is valid is a
pimple on the ass of the Internet for sure, but the back query would
still work in the above case.

If something else, can you cite? I'm ignorant about who might have
implemented what ...

Reto  (Errm ... perhaps off list as we're straying ...)

I get the following from both bellsouth and verizon.
Feb 3 18:33:42 [postfix/smtp] 1F09C203B9A: to=<ALN(_at_)SKYPOINT(_dot_)COM>, relay=minuet. skypoint.net[199.86.32.2], delay=52414, status=deferred (host minuet.skypoint.ne t[199.86.32.2] said: 451 4.1.8 Domain of sender address apache(_at_)orion(_dot_)xyonet(_dot_)com 
does not resolve (in reply to RCPT TO command))
Feb 3 18:33:42 [postfix/smtp] C4961203EA8: to=<GARDENELF(_at_)VERIZON(_dot_)NET>, relay=re lay.VERIZON.NET[206.46.170.12], delay=167144, status=deferred (host relay.VERIZO N.NET[206.46.170.12] said: 450 Unable to find orion.xyonet.com (in reply to RCPT 
TO command))
both of those messages are the results from an ecommerce system. both are sending from a machine that posts via "/usr/sbin/sendmail -t" instead of making a connection. the relevant section on the source address of the email: 

;; QUESTION SECTION:
;141.141.49.69.in-addr.arpa.    IN      PTR

;; ANSWER SECTION:
141.141.49.69.in-addr.arpa. 10800 IN    PTR     orion.xyonet.com.
So you see, mail confirmation of the users orders get rejected. I'm really not keen on making that host forward mail to the real mail host. 

Curtis





____________________________________________________________
procmail mailing list   Procmail homepage: http://www.procmail.org/
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: New types of Trojans coming, Curtis Maurand
Next by Date:  exit current script before end of aka goto|return|exit|jump, J Britain
Previous by Thread:  Re: New types of Trojans coming, R A Lichtensteiger
Next by Thread:  exit current script before end of aka goto|return|exit|jump, J Britain
Indexes:  [Date] [Thread] [Top] [All Lists]