On Wed, Nov 16, 2005 at 12:31:58PM +0000, Declan Moriarty wrote: > > The numbers are 1. Internal IP 2.Modem's hostname 3. Reverse lookup, > as I understand it, and that one is lifted from a legitimate mail.
Correct, sortof. Technically, #2 is what the smtp server detects from the packet (which in all normal cases is what the modem puts into the packet). > 2 & 3 'bell out', but 1 doesn't. There's such a variety on the > bracketing that it's nearly impossible for regexes to clarify what's > going on. Which is why it is a job of the mail server to determine whether the HELO passes or doesn't. Let SA worry only about the actual reverse DNS hostname to determine if it passed through an open relay. > Archaic, you're out there on linuxfromscratch.org which can bounce mail > and send mail directly. I'm on a bb modem like most folks and have to > relay through my isp, and only get through because I'm in their network > range. First, you should not assume that this is my only email. I have several, including the standard ISP email sent via mutt through their servers and popped via fetchmail just like anyone else. If your ISP does not allow for out-of-network authentication, then it is a serious limitation. > I _do_not_receive_ at smtp level. It's pop3. SA is therefore a > must for the likes of me, who doesn't want to look at spam. I never advocated removing SA. I advocated doing what you can to avoid it via checks at the smtp level. Much more efficient. You mentioned postfix so I replied likewise. Your whole email focused on mail servers so why suddenly change focus your ISP setup? The details were for information to anyone who needs it, but for you, who uses his ISP email, it can serve to enlighten as to why those headers are not to be tagged as spam. Those headers can be perfectly legitimate and as such are not a good mark of a spammer. There are plenty of other marks to detect spam. > My point was simply that if you are on the isp's network allocation, and > send mail from mysillydomain.com, SA down the line gets suspicious, and > rightly so IMHO. I wasn't particularly complaining about outlook - I'm > not that much OT! Unless the ISP strips that header, then non-RFC compliant, non-FQDN HELO's are going to be there. Postfix had an option to reject such HELO's. After enquiring about it on the postfix list and trying it out for awhile myself, I found that it was not a battle worth fighting. Legitimate email often has illegitimate (RFC-wise) headers. Your OP was for people to change their setup. My point is that you should remove some tests, or at least give them very little scoring weight and just deal with it. This is the essence of the cat and mouse game called spam detection. As you've seen, pattern detection is not easy. The trick is to decide which tests you need and to adjust the weight of their scores according. > It appears that some of the spam lying around has been sent by > telenetting or SSHing into some weak server, and then simply directing > it to the weak server's mail port, which suddenly finds itself holding a > mail 'from itself'. So the received lines look good from a certain > point, and the only clue is the earlier sections. I have postfix setup to not allow HELO's that claim to be the server itself. ;) BTW, telnet is a wonderful tool for testing a mail server. It doesn't actually let you do anything that a mail client wouldn't do, it just let's you play around with the order and the options a bit. -- Archaic Want control, education, and security from your operating system? Hardened Linux From Scratch http://www.linuxfromscratch.org/hlfs -- http://linuxfromscratch.org/mailman/listinfo/blfs-support FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page