spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [spf-discuss] SPF, DKIM, and NIH

2009-10-16 22:16:22
from [Hector Santos] [Permanent Link] 
Hector Santos wrote:
Anyway, some clear results of this research did help mold our anti-spam products are: 

   - The majority of the filters is found with EHLO/HELO domain ip
     literal mismatches. If the client issues a bracketed ip
     literal [x.x.x.x] then it is required to match the client
     connection IP.

   - Delay Mail From Validation is VERY efficent with a 60%
     reduction on DNS lookup.  RFC 2821 actually gives you
     a hint to follow this approach, wait for RCPT TO is
     validated before attempted to validate MAIL FROM.  This
     is shown with the 2003 December delay validation introduction
     in the above web page.

   - 80% of the time 821.MAILFROM = 822.FROM.  This told
     me that Microsoft's PAYLOAD version of SPF (SenderID)
     was wasteful compared to the SMTP level SPF check.
I would like to add that a good amount of the EHLO/HELO filters is based on the fact that many BULK spammers do not follow SMTP multi-line responses.
So by simply adding a multiple "220-" welcome response like a system policy that AOL.COM has:
220-rly-mf03.mx.aol.com ESMTP mail_relay_in-mf03.8; Fri, 16 Oct 2009 22:09:58 -0 
400
220-America Online (AOL) and its affiliated companies do not
220-     authorize the use of its proprietary computers and computer
220-     networks to accept, transmit, or distribute unsolicited bulk
220-     e-mail sent from the internet.  Effective immediately:  AOL
220-     may no longer accept connections from IP addresses which
220      have no reverse-DNS (PTR record) assigned.

or we offer to operators by default:

220-winserver.com Wildcat! ESMTP Server v6.3.452.9 ready
220-************** WARNING: FOR AUTHORIZED USE ONLY! ********************** 220-* THIS SYSTEM DO NOT AUTHORIZE THE USE OF ITS PROPRIETARY COMPUTERS * 220-* AND COMPUTER NETWORKS TO ACCEPT, TRANSMIT, OR DISTRIBUTE UNSOLICITED * 220-* BULK E-MAIL SENT FROM THE INTERNET. THIS SYSTEM WILL RESTRICT ACCESS * 220-* TO CAN-SPAM (US S. 877) COMPLIANT CLIENTS ONLY. * 220 ************************************************************************
This will immediately STOP bulk spammers who are blasting systems and ignoring SMTP continuation lines.
They are waiting for a "220 " (no dash) as the very first line. They don't get it, and either drop away or the server times them out.
So begin with some simple SMTP compliant requirement rules and you will filter a MAJOR percentage of your spam.
Note: It was very rare that a legitimate MAIL USER using a broken client was found and when that happen, they fixed the situation. In other words: 

    Bad guys do not complain or report problems! However,
    Good guys do report issues and the rare small exceptions
    they were quickly addressed one way or another.



--
Hector Santos, CTO
http://www.santronics.com





-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ 
[http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [spf-discuss] SPF, DKIM, and NIH, Hector Santos
Next by Date:  [spf-discuss] Tracking userids --was: SPF, DKIM, and NIH, Alessandro Vesely
Previous by Thread:  Re: [spf-discuss] SPF, DKIM, and NIH, Hector Santos
Next by Thread:  Re: [spf-discuss] SPF, DKIM, and NIH, Ian Eiloart
Indexes:  [Date] [Thread] [Top] [All Lists]