2 Jul
2004
2 Jul
'04
6:44 a.m.
Hi,
On Thu, 1 Jul 2004, Patrick Kaell wrote:
That's true. P&T does not know I have an account @linux.lu, they
don't know I have one with @vis.ethz.ch, or some @gmx.net.
They still know who connected when, got which IP address, sent
mail via their server - if they receive complaints, their client
will get his/her head washed.
You'd have to to quite some logging to be able to differentiate
whether the traffic were legitimate or not. Certainly enough to
make any "Datenschuetzer" cringe.
You're now talking *receiving* mails I assume. I was only talking
about *sending*. Two different pairs of shoes.
If really you're talking about sending - how would you want to
implement that on mailservers relaying for a number of different
organizations, with no chance of ever getting access to the
complete user database?
No, spammers do not do this. They definitely do not use @gmx.net, etc.
sender addresses. The addresses are almost always faked, only the DNS
part exists. Spammer nowadays use infected PCs to send mails directly to
the recipient.
Correct, so far. zombies make for 80% of spam (at least until
before the Comcast story). Most of the remaining goes via open
relays, maybe some formmail scripts etc.
I'm not sure I understand what you're saying here.
Say what? I've seldom seen it any other way.
Hmm. NACK.
If you know the scene, I'm *really* surprised you haven't seen
that kind of setup.
I propose continuing the discussion around a beer keg. It'll be
more fun, and simpler to avoid misunderstandings.
Greets Eric
Eric Dondelinger wrote:
That's about the idea. I actually use it for @linux.lu, @vis.ethz.ch.
I sure don't use it for my @pt.lu, which is a spam-only account.
I've got LuxDSL. I constantly send mail from
here with other
domains than pt.lu. mailsvr.pt.lu relays it for me - as I'm
on the P&T network. As you know about SMTP servers, I'll just
say "smarthost".
Now, mail coming from mailsvr.pt.lu do not need to be from a @pt.lu
address, right? It can be @sex.com and so on? Until now it was enough to
block dialup address ranges in a Black List. Now it is neccessary to add
mailsvr.pt.lu to the Black List, to be protected?
Of course not. It relays mail coming from P&T networks, and it
will accept mail for @pt.lu accounts. That's it. That's what
it's supposed to do.
If it accepted to relay mail from anybody to anybody else, then
it would be an open relay, and would merit a blacklist entry.
But that's not what it does.
A worm on your PC can
send a mail to anybody using anybody's mail address using mailsvr.pt.lu.
I don't know any worm that will look up your outgoing mail server
settings and send itself out via that machine. I'll be happy to
learn about such worms.
And the worm does not need to be ultrasmart to find
the hostname
mailsvr.pt.lu in the config files of your mail client.
I agree it would probably be trivial to implement, I've just not
seen it anywhere.
Of course!
You're on his network, he knows who you are - the
They do not know that the mail address you are using is yours. Only the
mail provider does know this. moment
you're dialing in! If you abuse the service, bye bye
your account, and chances are you'll hear from the ISPs lawyers
or at least from their billing service.
For this you don't need to block port 25. Logging would be sufficient. You will take away the account of everybody who is
invected and who
sends nonsense through mailsvr.pt.lu?
Those would get warned to clean up their mess. Repeat offenders
cut off until the mess is actually cleaned.
Spammers would get a harsher treatment.
I still have to say that I've rarely seen luxembourgish spam - half
a dozen or so in several years. There was one quite evil one among
those, which claimed to have a ministerial ok... the ministry didn't
appreciate, and took appropriate measures.
At least if the worm would send
directly through port 25 to the recipient's mail server, the recipient
could block it by finding the dialup IP address in the Black List!!!
That's what's being done now, via DULs.
There is no
security in checking To: and From: fields (i.e. the
mail's body). There's not even much point in checking the
envelope From:. That's for the case of users *on the ISPs network*.
Sure. My provider's mail servers only accepts mails from addresses which
exists on their server. And they are on a white list and can be trusted
which can't definitely not be said for mailsvr.pt.lu anymore!
mailsvr.pt.lu does know (AFAIK) the users having @pt.lu addresses
(maybe others, I dont't know). I'm quite sure it won't accept
mails coming from the outside if it's not defined as the MX for
the target domain. If it did, it would be an open relay.
Why on earth do you think that *every* mail provider
(GMX, Web.de,
Puretec, ... offer a SMTP service????
Maybe so that spammers can easily open up an account, use it
for a spam run, and forget it afterwards? It's not like GMX,
web.de & Co do a thorough job of verifying the data you provide
them when opening up an account...
Using a company mailserver that way would make more sense. As I understand you correctly, their infected PCs
will
use mailsvr.pt.lu in the future if they have infected a PT customer,
right? (just as an example, they *will* find the hostname in the mail
client's config files, be it mailsvr.pt.lu or something else).
In the future maybe. Not at this point, AFAIK.
Also, if the server implements AV software, a worm spreading
via mail would be simple to stop at that point (minus AV update
delay).
Indeed,
authenticated SMTP can help there - it would be a grave
mistake for such a setup to accept plain SMTP (open relay, as it
would be trivial to fake the domain part).
I still don't see a point in going to an external service -
unless your ISPs mail server is extremely unreliable, which
would be a reason to find another ISP.
To protect Black List protected mail servers against you (see above). Still, normal
procedure is to use the ISP's mailserver for
outgoing mail, and access the mail provider's server through
POP3/IMAP/whatever to retrieve your mail.
This is rather unconventional. Never heard this! I know
perfectly well. And every normally set up mail client
sends their mail through the ISPs mailserver. Using other mail
servers, even through smtp-auth, is not usual.
No, see above. >I have 5
years experience with mail servers, know the SMTP protocol, the
>sendmail.cf file and already have worked for an ISP!!!
I have patched (yes I am a C programmer) gnu-pop3d to implement SMTP
after POP3 with sendmail for our customers. Nobody used the SMTP service
of the dialup provider. This was 2000-2001. So I know the szene.