[EMAIL PROTECTED] said: > On Tue, 17 May 2005, Matt Fretwell wrote: >> > True, but it could helo with its hostname and then it would match >> > connecting back to check its 220 string. Even if its a sending >> server, >> > it should listen on 25 to verify that it is a mail server, even if it >> > doesn't accept mail. If it doesn't listen on 25 (or isn't accessable) >> > then it is a client and should be using some type of smtp-auth with >> the >> > server to relay through it, or to one of its recipients. IMO, If you >> > send a lot of mail, you should listen on port 25, even if you don't >> > accept mail. >> >> >> By that theory, we should ban most large providers and mailing lists. >> There are a countless number of companies that allow outgoing >> connections >> only from their servers. That theory is vastly flawed and will not work. >> Period. Also, any sending server is a client, irrelevant of whether it >> works in client and server mode. The connecting machine is *always* a >> client. > > What I am saying is that if you can't do some type of verification, > whether it is connect-back (remember the old dialup > callback-verification-system?) to the sending server or SPF or some other > type of authentication mechanism, then you can't trust the sender. Really > even SPF isn't great because DNS can be spoofed.
It is impossible to get verification this way. All you have that you can depend on (and only just barely) is the IP of the source. the helo greeting and mail from: can be and frequently are faked or from virtual hosts. Even if the info is true there is still no way for you to guarantee it. Spammers buy throw-away domain names by the thousands, you know. There is no reason a host need identify itself using the name in its DNS PTR records. There is no reason a sending host needs an MX record. If I have 30 hosts behind a BigIP box you're going to see one IP regardless of which host is connected to you. I may have dozens of hosts that resolve to a single IP, and hosts that resolve to dozens of IP's. The closest thing you have is SPF and it's barely implemented and voluntary. Sure glad it's been a quiet day :-) dp _______________________________________________ http://lurker.clamav.net/list/clamav-users.html
