Re: [courier-users] breaking smtp
On Nov 5, 2007 7:09 AM, Bernd Wurst <[EMAIL PROTECTED]> wrote: > Hi. > > Am Montag, 5. November 2007 schrieb Alessandro Vesely: > > > SPF is fairly effective at what it was designed to do. When it matures to a level where it has widespread adoption then we can all move from standalone to rejection based on spf knowing it is a protocol which will deliver what it promises. > SPF standalone doesn't really help anything. Yes it does. It helps the protocol mature through adoption. If everyone takes the "chicken and egg" approach it will never mature. It costs you nothing to put in place, put it in place and when it matures you'll reap the huge benefit. Sit and whine that it has nothing to offer immediate benefit, and we all lose out. Lisa. - This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] breaking smtp
Hi. Am Montag, 5. November 2007 schrieb Alessandro Vesely: > > SPF is fairly effective at what it was designed to do. > I'm not sure what you mean by "fairly". It is not effective. > It was designed to be widely adopted and it is not. SPF can only get spread if the forwarding-problem gets solved. SRS is a proposition for this but is not that accepted (see, courier doesn't support it because Sam calls it broken (iirc)). So if one enforces SPF (or, rejects messages with failed SPF checks), he relies on every one else implements SRS (or something similar) or breaks regular forwarding to his host. SPF standalone doesn't really help anything. cu, Bernd -- Fachbegriffe der Informatik (#095): PGP-Keysigning-Party Kultiges Zusammensitzen und gemeinsames Murmeln magischer Zahlen. (Gert Döring) signature.asc Description: This is a digitally signed message part. - This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] breaking smtp
Gordon Messmer wrote: > Gordan Bobic wrote: >> And at the end of the day, SPF just isn't all that effective anyway. >> When you can reduce your spam influx by 2-3 orders of magnitude using >> more sensible and cheaper methods, what is the point of bothering with >> more questionable methods? >> > > Inferring that you view SPF as an ineffective anti-spam technique, I'll > agree. SPF is not an effective anti-spam technique. It doesn't try to > be. It's an email authentication system. > > SPF is fairly effective at what it was designed to do. I'm not sure what you mean by "fairly". It is not effective. It was designed to be widely adopted and it is not. By contrast, if greylisting were widely adopted, spammers would be forced to catch up and much of its effectiveness would be lost. SPF has been sentenced 2 years limbo after the MARID/IETF, so perhaps we'll talk about it again in spring 2008. IMHO, the day it will be an official protocol, organizations may be hold responsible for helping phishers by not setting up adequate SPF policies. That may boost its diffusion and hence effectiveness. - This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] breaking smtp, smart host spam
Arturo 'Buanzo' Busleiman a écrit : I'd start looking now if I were you. This has been coming for a while. I agree. Don't worry for me ;-) Port 25 is blocked from my LAN to the net... Content-filtering is performed for EVERY mail that go through RBLs & SPF. Even outgoing mails are scanned. I confirm that RBL / SPF are a quick way to drop lot of junk... For the few other mails, I accept to consume some resources to analyse them with Spamassassin. It's a little bit frustrating when you want to send a mail to an abuse concerning spams anyway :-) Have a nice night ;-) - This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] breaking smtp
Gordan Bobic wrote: > And at the end of the day, SPF just isn't all that effective anyway. > When you can reduce your spam influx by 2-3 orders of magnitude using > more sensible and cheaper methods, what is the point of bothering with > more questionable methods? > Inferring that you view SPF as an ineffective anti-spam technique, I'll agree. SPF is not an effective anti-spam technique. It doesn't try to be. It's an email authentication system. SPF is fairly effective at what it was designed to do. - This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] breaking smtp, smart host spam
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Gordan Bobic wrote: > Not any more. The number of spamming zombies that spam via the smart > host is on the increase - and if the zombie is smart enough to use the > smart host, it's safe to assume that it's also smart enough to use the > authentication. Oh, that's why you have TLS, or non-cleartext-based authentication methods. But if you have an intelligent enough software that owned one of your client computers that can steal / hijack authenticated sessions, then you have another problem, too: infection :P > If malware knows how to read your mail reader config and retrieve the > smart host, and then forges the envelope to the same domain as your > email address, that in one fell swoop kills all RFC compliance based > filtering (nolisting, unlisting, greylisting) and IP based blacklisting. Sure. That's why there are system administrators that have to proactively and reactively check their networks :) - That's called working. There is no foolproof methodology. Regarding SPAM, we are trying to protect about INCOMING email INTO our network, not OUTGOING email OUT of our network. This last thing is called ABUSE, which has nothing to do with standard anti-spam procedures. > Then we'll be stuck with content-based filtering alone again, which is a > bit too questionable a method for my liking at the moment. I don't like content-scanning either, and don't run it. SPF, Greylisting and DNSBL is more than enough. Thunderbird takes care of statistical spam flagging (on the client, of course). > I'd start looking now if I were you. This has been coming for a while. I agree. - -- Arturo "Buanzo" Busleiman - Consultor Independiente en Seguridad Informatica Servicios Ofrecidos: http://www.buanzo.com.ar/pro/ Unase a los Foros GNU/Buanzo - La palabra Comunidad en su maxima expresion. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHLcf4AlpOsGhXcE0RCjm2AJ46x8yKwhVBcaSdBTMa1Ehx6qPo1QCfXgxW FGle880xdxjG9jWOsEfL2hk= =Sh+U -END PGP SIGNATURE- - This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] breaking smtp
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Gordan Bobic wrote: > You can't just come up with things that break SMTP unless it's > sufficiently backwards compatible to not break existing setups. Ehmmm... a receiving server does not do anything about an incoming email when the from: domain has no SPF records. That sounds a hell like backwards-compatibility to me. - -- Arturo "Buanzo" Busleiman - Consultor Independiente en Seguridad Informatica Servicios Ofrecidos: http://www.buanzo.com.ar/pro/ Unase a los Foros GNU/Buanzo - La palabra Comunidad en su maxima expresion. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHLcYfAlpOsGhXcE0RCi0EAJ0eNoeXz7z6b/Ca96Bz+MrcYcQ66ACfTjtz lrxmL6SCO2oI//cAKBvRRxw= =VB5h -END PGP SIGNATURE- - This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] breaking smtp, smart host spam
Jérôme Blion wrote: >> Personally, I think transparency is a negative in this situation, since >> valid users of your network have nothing to indicate that they can't >> reach the mail servers that they are supposed to use, or why that would >> be the case. > > When allowing all computers to send mails directly, when a virus is > spreading on the network, I wouldn't imagine the load of the entire system. > Viruses don't try to use the mail user agent and so, the configuration > of it is not retrieved yet... They directly send mails. Not any more. The number of spamming zombies that spam via the smart host is on the increase - and if the zombie is smart enough to use the smart host, it's safe to assume that it's also smart enough to use the authentication. It's going to be the next big pain in the backside to deal with. Most of the existing anti-spam methods will be ineffective about it. If malware knows how to read your mail reader config and retrieve the smart host, and then forges the envelope to the same domain as your email address, that in one fell swoop kills all RFC compliance based filtering (nolisting, unlisting, greylisting) and IP based blacklisting. It won't outright break whitelisting, but the only servers/networks that remain whitelisted are likely to be the ones that stamp out the malware before it gets out into the wild (e.g. through use of transparent proxy filters). Then we'll be stuck with content-based filtering alone again, which is a bit too questionable a method for my liking at the moment. > So, for now, a simple firewall is needed. All mailservers can be > configured to be smarthosts. All clients should use a valid SMTP server > (through VPN or not) > > To catch all zombies, just configure your firewall to log what you need. > A batch could process logs and give you all your need to clean your network. > > When zombies computers will behave like normal computers, we will look > for another ways to block them. I'd start looking now if I were you. This has been coming for a while. Gordan - This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] breaking smtp
Gordon Messmer wrote: > I was criticizing you because you asserted that greylisting was broken, > and then defended the practice of transparently redirecting your users' > connections. I meant to illustrate that because SMTP is abused such as > it is, we all break it to make it more sane. > > When you said that "one was about breaking mail delivery for perfectly > valid mail", I assumed that you were talking about greylisting, because > you appeared to be replying to what I wrote. I disagree that SPF breaks > valid mail, but that's immaterial to the point that I was making. My > point was that when you redirect users' connections, it is you that is > at fault when that mail is considered invalid because the user's SPF > records indicate that your mail server isn't allowed to send his email. Sure - but since the number of systems enforcing SPF on the receiving end is thankfully negligible it's immaterial. Most proponents of SPF seem to wave the flag of pretending to be doing something with it by adding the relevant DNS records, while not enforcing the checking on their inbound servers. > SPF is incompatible with your configuration, but that doesn't mean that > SPF is a broken specification. Are your mail servers actually set up to bounce mail purely based on SPF? If so, is it on a system handling mail for hundreds of thousands of users across hundreds of thousands of domains? Do you have DNS control of all of those domains? The point is that unless _everybody_ adopts it, and more importantly - enforces it (which won't happen), it's not going to work to a point where it's useful. You can't just come up with things that break SMTP unless it's sufficiently backwards compatible to not break existing setups. It only takes a handful of important users to complain before such measures get disabled by decree from on a high. One typical example is using RBLs that yield too many false postives [cough]SpamCop[/cough]. And at the end of the day, SPF just isn't all that effective anyway. When you can reduce your spam influx by 2-3 orders of magnitude using more sensible and cheaper methods, what is the point of bothering with more questionable methods? Gordan - This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
