----- Original Message -----
From: "Stuart D. Gathman" <stuart(_at_)bmsi(_dot_)com>
To: <spf-discuss(_at_)v2(_dot_)listbox(_dot_)com>
Sent: Friday, March 12, 2004 4:39 PM
Subject: Re: [spf-discuss] HELO Testing
On Fri, 12 Mar 2004, Marc Alaia wrote:
Sorry if this has been asked before, but there was a ton of stuff on the
list about the new HELO option and I couldn't think of a way to search
for
what I'm looking for.
I found that simply rejecting external connections with HELOs matching
my own domain or my own IP address nixes 50% of the worm spam. You
would think the worms would be smart enough to put something random
in the HELO, but apparently most of them aren't.
Excellent point. We see a ~75% HELO rejection or drops.
We do and see the following:
SMTP Level: Multi-lines Welcome/Greeting lines
We added a system policy display option to our software with our December
26, 2004 beta version.
When we did this, we saw 45-50% of all connections drop after the display!
They seem to be predominately from dynamic IP machines.
At first I though,
"Geez, these guys must of got sued by AOL and are now using software
that looks for this stuff! Great!"
But I agree with others that is most likely broken bulk spammer software who
don't understand multiple line responses.
I am going to soon turn this off so I can analyze their mail transactions.
SMTP Level: Simple HELO syntax checking
- check for non-bracketed domain literals, i.e, HELO 1.2.3.4
- check for bracketed domain literal IP address matching the connect IP
address
This rejects 20-25%
So just at the HELO, we see an average of 75% rejections.
SMTP level: MAIL FROM
At MAIL FROM, to lower overhead, we issue 250 response is sent saying
"Sender validation pending" to see if we even need to do a validatio check.
SMTP level: RCPT TO:
Upto this point we have 25% of the total connections reaching this state.
But we are seeing ~30% are unknown local users or real users who do not have
email address.
Now our validation suite (called wcSAP) begins testing the envelope is
started before the response to RCPT is issued.
wcSAP rejects about 52% with a breakdown based on the test method:
10% from internet filter accept/reject rule tables
78% from DNSRBL rejects
1% from LMAP logic (DMP and SPF)
11% from CBV rejections
A response is sent for RCPT response based on the result.
Of the remaining reaching and sending the DATA, before the response is sent,
our SMTPFILTER hook is called with is 100% admin defined. We are not in the
business of rejection mail based on content. Only compliance. What is
rejected at DATA is determine by the admin AVS setup.
For our support system with simply rules looking only for our own staff
related email (we don't offer email accounts any more for support customers)
we rejected about 10%.
The data response code is now sent.
In the end, for our system, I got 1 spam this entire week from the "General
Clark" compaign stuff! Not bad, not bad at all!.
[SOAPBOX ON]
This might suggest or saying something very strong that maybe what the SMTP
industry need is a "change" to add enforcement policies to HELO and MAIL
FROM because that is where the holes are at. The spammers do not want to
comply because it means they will be tracked more easily and/or leave a
trail, when is what CAN-SPAM is all about.
I keep hearing "CAN-SPAM doesn't work" or hasn't done anything to reduce
spam since being passed on Jan/1.
Well, lets give it chance!
Of course CAN-SPAM doesn't work! It can't work simply based on the honor
system and it won't work if we don't "force" SPAMMERS to comply by
enforcement the now legal mandates at a technical level.
CAN-SPAM provides 3 perfect mandates:
1) return address validation
2) topic identification.
3) Compliance with IETF standards.
It is a compromise recognizing the right to do email marketing. However, it
simply says:
"Don't lie about who you are, and don't lie about the intent of your
message"
And CAN-SPAM also gives the 18 months IETF the power to make this happen.
So if the IETF does not encourage change to SMTP or provide new enforcement
technologies which augment the current SMTP system then how anyone expect
CAN-SPAM or anything else to work?
SPF helps but it didn't seem to be enough for the IETF to take really
serious. Even though I don't like Microsoft entry with CEP, it did do one
thing - get this IETF guys off their butts and finally get something done!
[SOAPBOX OFF]
--
Hector Santos, Santronics Software, Inc.
http://www.santronics.com