Re: SPAM Patches recomendations.
On Thu, May 03, 2001 at 10:30:52AM -0500, q question wrote: > > I know the qmail documentation says that the default for qmail is not to > relay. I need to see proof, not just be told to assume that the > documentation is correct. As I said above, I'll need time to reflect on > this. You only need as much time as it takes to check the qmail log. Does it send mail ANYWHERE (except bounces to the envelope sender) in response to the "tests"? No? Then you're NOT an open relay and the "test" you used doesn't Get It(tm). > I do appreciate your reply and I realize full well that I may end up > deciding to ignore the Prodygy relay test failures someday myself. That "someday" will be the day you check your logs. -- Jurjen Oskam * http://www.stupendous.org/ for PGP key * Q265230 pro-life bombing bush hacker attack USA president 2600 decss assassinate nuclear strike terrorism gun control eta military disrupt economy encryption 1:03pm up 12 days, 16:49, 2 users, load average: 0.07, 0.04, 0.01
Re: SPAM Patches recomendations.
Alan Clegg <[EMAIL PROTECTED]> wrote: > > > The particular assumption that Charles didn't explain is that > > user%host2&host1 or host2|user@host1 will be relayed by host1 > > to user@host2. > If anyone cares, this used to be completely legal and actually, a very > useful way of doing things. There were a number of UUCP sites that were > much quicker to address via: > > [EMAIL PROTECTED] > > than giving the full ! path to the actual uucp site. This was not "broken", > it was "operational". The brokenness comes from a third party looking at the local-part of that address, and deducing that it implies relaying. The most recent SMTP RFC (2821) forbids this in section 2.3.10: The standard mailbox naming convention is defined to be "local- part@domain": contemporary usage permits a much broader set of applications than simple "user names". Consequently, and due to a long history of problems when intermediate hosts have attempted to optimize transport by modifying them, the local-part MUST be interpreted and assigned semantics only by the host specified in the domain part of the address. Prodygy (or whoever it was) was assuming that since a qmail server responded with a 2xx code to RCPT TO: <[EMAIL PROTECTED]@baz.net> that it would relay the mail. That assumption is incorrect, and has always been. The fact that some sites will interpret the local-part of that address and relay it does not mean that all sites which do not respond with a 4xx or 5xx code to that command should be identified as relays. > I guess those days are gone, however. So are the days of the 5-cent Coke and the sub-$1000 new car. Doesn't mean I'm wistful about them. Charles -- --- Charles Cazabon<[EMAIL PROTECTED]> GPL'ed software available at: http://www.qcc.sk.ca/~charlesc/software/ Any opinions expressed are just that -- my opinions. ---
Re: SPAM Patches recomendations.
You don't need to look for any bugs to eat! I haven't installed qmail yet, I'm still in the planning stages. I wanted to know how to test for relays and I appreciate your points. Thanks! :) >From: Greg White <[EMAIL PROTECTED]> >To: [EMAIL PROTECTED] >Subject: Re: SPAM Patches recomendations. >Date: Thu, 3 May 2001 10:41:33 -0700 > >On Thu, May 03, 2001 at 10:30:52AM -0500, q question wrote: >SNIP > > > > 2) How is it so clear that the machine didn't relay mail? > > > > > >-these types of questions come up every week on this mailing list > > >-qmail has _never_ relayed mail unless the administrator specifically > > >configures it to do so. > > > > > > I know the qmail documentation says that the default for qmail is not to > > relay. I need to see proof, not just be told to assume that the > > documentation is correct. As I said above, I'll need time to reflect on > > this. I appreciate that someone else suggested asking ORBS to do a relay > > test. However, that doesn't necessarily reassure me that the Prodygy > > Solutions relay test results should be ignored. I don't know anything > > specific about the Prodygy relay test "failures" but I don't just ignore > > something because someone else said to. > >'Proof'? If the relay test in question was acceptable, the OP would already >have proof. A proper relay test involves the _actual receipt of relayed >mail_. Try your own relay test, if you have addresses at multiple domains >available, along the exact same lines as the 'tests' performed by >prodigysolutions[1]. If you don't have another address available, use a >friend's email account. If you manage to relay third-party mail through a >qmail server with rcpthosts populated only with domains that you should >actually deliver for (present in locals or virtualdomains[2]), and a >properly set RELAYCLIENT environment variable, I will eat a bug on camera, >and >give you links to watch it on the web. :) > >[1] I didn't recall seeing recent results for the >'user@destination@relay' test, so I did them myself. Delivery attempt is >to local user 'user@destination', which is unlikely to exist and in any >case is not a relay. The '%' and '!' garbage comes up at least once a >month, and is known _not_ to be a problem. Check that for yourself as >well, if you like. > >[2] Or, of course, a domain that you're an MX for, but not the >best-preference MX. > > > > > I do appreciate your reply and I realize full well that I may end up > > deciding to ignore the Prodygy relay test failures someday myself. > >Avoid the rush! Start ignoring them today! 'Tests' which assume that >they know better than the MTA they are testing how it will deliver mail >are inherently broken. 'Tests' which do not actually attempt to deliver >mail anywhere, and do not only count the _actual receipt of mail_ as a >successful relay (failed test) are inherently broken. As far as I am >concerned, any 'test' that does not actually attempt delivery should >immediately be ignored. > > >SNIP > >GW _ Get your FREE download of MSN Explorer at http://explorer.msn.com
Re: SPAM Patches recomendations.
>What should convince you to ignore those tests is that they are providing a
>diagnosis ("Relay attempt succeeded") which is patently false (it isn't a
>successful relay unless the mail makes it to the final destination, and
>they
>aren't even actually sending the mail, just testing the RCPT TO: command).
>
>Charles
Relay test 7
MAIL FROM:([EMAIL PROTECTED]@mail.mydomain.com)
250 ok
RCPT TO:("nobody%prodigysolutions.com")
250 ok (Failed Test)
RSET
250 flushed
Relay test 13
MAIL FROM:([EMAIL PROTECTED]@mail.mydomain.com)
250 ok
RCPT TO:(prodigysolutions.com!nobody)
250 ok (Failed Test)
RSET
250 flushed
I see your point, the "(Failed Test)" occurs immediately after
"RCPT TO: ..."
"250 ok"
This is why your (and Chris's) explanations about the assumptions are very
useful, that the mail could be successfully received either for a local
delivery, or for a relay, or perhaps not delivered at all.
_
Get your FREE download of MSN Explorer at http://explorer.msn.com
Re: SPAM Patches recomendations.
I appreciate your pointing this out. >From: "Chris Garrigues" <[EMAIL PROTECTED]> >To: "q question" <[EMAIL PROTECTED]> >CC: [EMAIL PROTECTED] >Subject: Re: SPAM Patches recomendations. >Date: Thu, 03 May 2001 11:24:49 -0500 > > > From: "q question" <[EMAIL PROTECTED]> > > Date: Thu, 03 May 2001 10:30:52 -0500 > > > > >From: Charles Cazabon <[EMAIL PROTECTED]> > > >To: [EMAIL PROTECTED] > > >Subject: Re: SPAM Patches recomendations. > > >Date: Thu, 3 May 2001 09:06:00 -0600 > > > > > >It's also making some broken assumptions about how certain conventions >in > > >the > > >local-part of an SMTP envelope recipient address translate into >implicit > > >relaying requests -- these conventions are not part of the SMTP > > >specification, > > >and qmail doesn't use them. The fact that sendmail (or Domino, or > > >Exchange, > > >or whatever) is broken enough to do so should not implicate properly > > >implemented SMTP servers. > > > > > > I appreciate your describing this in detail. I'm going to need some time >to > > reflect on these assumptions. > >The particular assumption that Charles didn't explain is that >user%host2&host1 >or host2|user@host1 will be relayed by host1 to user@host2. > >Certainly software that does this is broken, but it's also perfectly legal >for >first%last@host1 or first!last@host1 to be delivered to an account on that >machine. To assume that the only reason such an address would be accepted >is >to relay it is totally bogus. > >Chris > >-- >Chris Garrigues http://www.DeepEddy.Com/~cwg/ >virCIO http://www.virCIO.Com >4314 Avenue C >Austin, TX 78751-3709 +1 512 374 0500 > > My email address is an experiment in SPAM elimination. For an > explanation of what we're doing, see http://www.DeepEddy.Com/tms.html > > Nobody ever got fired for buying Microsoft, > but they could get fired for relying on Microsoft. > > ><< attach3 >> _ Get your FREE download of MSN Explorer at http://explorer.msn.com
Re: SPAM Patches recomendations.
Unless the network is lying to me again, Chris Garrigues said: > The particular assumption that Charles didn't explain is that > user%host2&host1 or host2|user@host1 will be relayed by host1 > to user@host2. > > Certainly software that does this is broken, If anyone cares, this used to be completely legal and actually, a very useful way of doing things. There were a number of UUCP sites that were much quicker to address via: [EMAIL PROTECTED] than giving the full ! path to the actual uucp site. This was not "broken", it was "operational". I guess those days are gone, however. Just for fun, does anyone remember the issues surrounding: [EMAIL PROTECTED] Other fun thing that nolonger works: finger user@somehost@otherhost AlanC -- Alan Clegg I do UNIX and Networks [EMAIL PROTECTED]I don't have any certification I have experience
Re: SPAM Patches recomendations.
On Thu, May 03, 2001 at 10:30:52AM -0500, q question wrote: SNIP > > > 2) How is it so clear that the machine didn't relay mail? > > > >-these types of questions come up every week on this mailing list > >-qmail has _never_ relayed mail unless the administrator specifically > >configures it to do so. > > > I know the qmail documentation says that the default for qmail is not to > relay. I need to see proof, not just be told to assume that the > documentation is correct. As I said above, I'll need time to reflect on > this. I appreciate that someone else suggested asking ORBS to do a relay > test. However, that doesn't necessarily reassure me that the Prodygy > Solutions relay test results should be ignored. I don't know anything > specific about the Prodygy relay test "failures" but I don't just ignore > something because someone else said to. 'Proof'? If the relay test in question was acceptable, the OP would already have proof. A proper relay test involves the _actual receipt of relayed mail_. Try your own relay test, if you have addresses at multiple domains available, along the exact same lines as the 'tests' performed by prodigysolutions[1]. If you don't have another address available, use a friend's email account. If you manage to relay third-party mail through a qmail server with rcpthosts populated only with domains that you should actually deliver for (present in locals or virtualdomains[2]), and a properly set RELAYCLIENT environment variable, I will eat a bug on camera, and give you links to watch it on the web. :) [1] I didn't recall seeing recent results for the 'user@destination@relay' test, so I did them myself. Delivery attempt is to local user 'user@destination', which is unlikely to exist and in any case is not a relay. The '%' and '!' garbage comes up at least once a month, and is known _not_ to be a problem. Check that for yourself as well, if you like. [2] Or, of course, a domain that you're an MX for, but not the best-preference MX. > > I do appreciate your reply and I realize full well that I may end up > deciding to ignore the Prodygy relay test failures someday myself. Avoid the rush! Start ignoring them today! 'Tests' which assume that they know better than the MTA they are testing how it will deliver mail are inherently broken. 'Tests' which do not actually attempt to deliver mail anywhere, and do not only count the _actual receipt of mail_ as a successful relay (failed test) are inherently broken. As far as I am concerned, any 'test' that does not actually attempt delivery should immediately be ignored. SNIP GW
Re: SPAM Patches recomendations.
q question <[EMAIL PROTECTED]> wrote:
>
> I know the qmail documentation says that the default for qmail is not to
> relay. I need to see proof, not just be told to assume that the
> documentation is correct.
The proper "proof" is to try to relay yourself, and see if the message makes
it to its intended destination. With qmail, you'll find that it doesn't.
Note that this isn't a proof in the mathematical sense. For that, you'll need
to do a line-by-line analysis of the qmail source code.
> I appreciate that someone else suggested asking ORBS to do a relay test.
> However, that doesn't necessarily reassure me that the Prodygy Solutions
> relay test results should be ignored.
What should convince you to ignore those tests is that they are providing a
diagnosis ("Relay attempt succeeded") which is patently false (it isn't a
successful relay unless the mail makes it to the final destination, and they
aren't even actually sending the mail, just testing the RCPT TO: command).
Charles
--
---
Charles Cazabon<[EMAIL PROTECTED]>
GPL'ed software available at: http://www.qcc.sk.ca/~charlesc/software/
Any opinions expressed are just that -- my opinions.
---
Re: SPAM Patches recomendations.
> From: "q question" <[EMAIL PROTECTED]> > Date: Thu, 03 May 2001 10:30:52 -0500 > > >From: Charles Cazabon <[EMAIL PROTECTED]> > >To: [EMAIL PROTECTED] > >Subject: Re: SPAM Patches recomendations. > >Date: Thu, 3 May 2001 09:06:00 -0600 > > > >It's also making some broken assumptions about how certain conventions in > >the > >local-part of an SMTP envelope recipient address translate into implicit > >relaying requests -- these conventions are not part of the SMTP > >specification, > >and qmail doesn't use them. The fact that sendmail (or Domino, or > >Exchange, > >or whatever) is broken enough to do so should not implicate properly > >implemented SMTP servers. > > > I appreciate your describing this in detail. I'm going to need some time to > reflect on these assumptions. The particular assumption that Charles didn't explain is that user%host2&host1 or host2|user@host1 will be relayed by host1 to user@host2. Certainly software that does this is broken, but it's also perfectly legal for first%last@host1 or first!last@host1 to be delivered to an account on that machine. To assume that the only reason such an address would be accepted is to relay it is totally bogus. Chris -- Chris Garrigues http://www.DeepEddy.Com/~cwg/ virCIO http://www.virCIO.Com 4314 Avenue C Austin, TX 78751-3709 +1 512 374 0500 My email address is an experiment in SPAM elimination. For an explanation of what we're doing, see http://www.DeepEddy.Com/tms.html Nobody ever got fired for buying Microsoft, but they could get fired for relying on Microsoft. PGP signature
Re: SPAM Patches recomendations.
>From: Charles Cazabon <[EMAIL PROTECTED]> >To: [EMAIL PROTECTED] >Subject: Re: SPAM Patches recomendations. >Date: Thu, 3 May 2001 09:06:00 -0600 > >q question <[EMAIL PROTECTED]> wrote: > > > > 1) What are the erroneous assumptions of the Prodygy relay test utility? > >It assumes that because the RCPT TO: <...> command succeeded, the mail will >be >delivered. This is not required by RFC821/2821, and is not true of qmail >or >any other MTA which does not have knowledge of the possible final delivery >targets during the initial SMTP conversation. > >It's also making some broken assumptions about how certain conventions in >the >local-part of an SMTP envelope recipient address translate into implicit >relaying requests -- these conventions are not part of the SMTP >specification, >and qmail doesn't use them. The fact that sendmail (or Domino, or >Exchange, >or whatever) is broken enough to do so should not implicate properly >implemented SMTP servers. I appreciate your describing this in detail. I'm going to need some time to reflect on these assumptions. > > 2) How is it so clear that the machine didn't relay mail? > >-these types of questions come up every week on this mailing list >-qmail has _never_ relayed mail unless the administrator specifically >configures it to do so. I know the qmail documentation says that the default for qmail is not to relay. I need to see proof, not just be told to assume that the documentation is correct. As I said above, I'll need time to reflect on this. I appreciate that someone else suggested asking ORBS to do a relay test. However, that doesn't necessarily reassure me that the Prodygy Solutions relay test results should be ignored. I don't know anything specific about the Prodygy relay test "failures" but I don't just ignore something because someone else said to. I do appreciate your reply and I realize full well that I may end up deciding to ignore the Prodygy relay test failures someday myself. _ Get your FREE download of MSN Explorer at http://explorer.msn.com
Re: SPAM Patches recomendations.
q question <[EMAIL PROTECTED]> wrote: > > 1) What are the erroneous assumptions of the Prodygy relay test utility? It assumes that because the RCPT TO: <...> command succeeded, the mail will be delivered. This is not required by RFC821/2821, and is not true of qmail or any other MTA which does not have knowledge of the possible final delivery targets during the initial SMTP conversation. It's also making some broken assumptions about how certain conventions in the local-part of an SMTP envelope recipient address translate into implicit relaying requests -- these conventions are not part of the SMTP specification, and qmail doesn't use them. The fact that sendmail (or Domino, or Exchange, or whatever) is broken enough to do so should not implicate properly implemented SMTP servers. > 2) How is it so clear that the machine didn't relay mail? -these types of questions come up every week on this mailing list -qmail has _never_ relayed mail unless the administrator specifically configures it to do so. Charles -- --- Charles Cazabon<[EMAIL PROTECTED]> GPL'ed software available at: http://www.qcc.sk.ca/~charlesc/software/ Any opinions expressed are just that -- my opinions. ---
Re: SPAM Patches recomendations.
Charles, 1) What are the erroneous assumptions of the Prodygy relay test utility? 2) How is it so clear that the machine didn't relay mail? >From: Charles Cazabon <[EMAIL PROTECTED]> >To: [EMAIL PROTECTED] >Subject: Re: SPAM Patches recomendations. >Date: Tue, 1 May 2001 09:52:51 -0600 > >Eduardo Augusto Alvarenga <[EMAIL PROTECTED]> wrote: > > > > I've tested my qmail smtp server for spam using the Prodygy Solutions > > relay test utility: >[...] > > And got 2(two) holes on my server: > >No, you don't. Your machine didn't relay mail, and the tests (hah!) didn't >even actually do any testing; they inferred a result from erroneous >assumptions. > >Ignore the "tests" you did; they're worthless, and tell you nothing about >whether your server is an open relay or not. Provided you have >/var/qmail/control/rcpthosts, and it contains only your domains, and you're >not setting the RELAYCLIENT environment variable for random IP addresses >which >connect to your SMTP port, then you are NOT an open relay. > >Charles >-- >--- >Charles Cazabon<[EMAIL PROTECTED]> >GPL'ed software available at: http://www.qcc.sk.ca/~charlesc/software/ >Any opinions expressed are just that -- my opinions. >--- _ Get your FREE download of MSN Explorer at http://explorer.msn.com
Re: SPAM Patches recomendations.
You are better off asking ORBS to do a relay test, which is more reliable.
http://www.orbs.org/
-K
"Do not meddle in the affairs of dragons, because you are crunchy and taste
good with ketchup."
> From: Eduardo Augusto Alvarenga <[EMAIL PROTECTED]>
> Date: Tue, 01 May 2001 12:15:19 -0300
> To: [EMAIL PROTECTED]
> Subject: SPAM Patches recomendations.
>
> Greetz,
>
> I've tested my qmail smtp server for spam using the Prodygy Solutions
> relay test utility:
>
> http://www.prodigysolutions.com/services/relay_test.php
>
> And got 2(two) holes on my server:
>
> * I'll omit the domain for security reasons of course.
>
> Relay test 7
> MAIL FROM:([EMAIL PROTECTED]@mail.mydomain.com)
> 250 ok
> RCPT TO:("nobody%prodigysolutions.com")
> 250 ok (Failed Test)
> RSET
> 250 flushed
>
> Relay test 13
> MAIL FROM:([EMAIL PROTECTED]@mail.mydomain.com)
> 250 ok
> RCPT TO:(prodigysolutions.com!nobody)
> 250 ok (Failed Test)
> RSET
> 250 flushed
>
>
> Anyone has any tip to fix these problems ? (patches/etc) ?
> Another question: Emails on using % and ! as the domain separator should
> work ?
>
>
> Best Regards,
>
> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> Eduardo Augusto Alvarenga - Analista de Suporte - #179653
> Blumenau - Santa Catarina. Tel. (47) 9102-3303
> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
>
> /"\
> \ / Campanha da Fita ASCII - Contra Mail HTML
> X ASCII Ribbon Campaign - Against HTML Mail
> / \
>
Re: SPAM Patches recomendations.
Eduardo Augusto Alvarenga <[EMAIL PROTECTED]> wrote: > > I've tested my qmail smtp server for spam using the Prodygy Solutions > relay test utility: [...] > And got 2(two) holes on my server: No, you don't. Your machine didn't relay mail, and the tests (hah!) didn't even actually do any testing; they inferred a result from erroneous assumptions. Ignore the "tests" you did; they're worthless, and tell you nothing about whether your server is an open relay or not. Provided you have /var/qmail/control/rcpthosts, and it contains only your domains, and you're not setting the RELAYCLIENT environment variable for random IP addresses which connect to your SMTP port, then you are NOT an open relay. Charles -- --- Charles Cazabon<[EMAIL PROTECTED]> GPL'ed software available at: http://www.qcc.sk.ca/~charlesc/software/ Any opinions expressed are just that -- my opinions. ---
SPAM Patches recomendations.
Greetz,
I've tested my qmail smtp server for spam using the Prodygy Solutions
relay test utility:
http://www.prodigysolutions.com/services/relay_test.php
And got 2(two) holes on my server:
* I'll omit the domain for security reasons of course.
Relay test 7
MAIL FROM:([EMAIL PROTECTED]@mail.mydomain.com)
250 ok
RCPT TO:("nobody%prodigysolutions.com")
250 ok (Failed Test)
RSET
250 flushed
Relay test 13
MAIL FROM:([EMAIL PROTECTED]@mail.mydomain.com)
250 ok
RCPT TO:(prodigysolutions.com!nobody)
250 ok (Failed Test)
RSET
250 flushed
Anyone has any tip to fix these problems ? (patches/etc) ?
Another question: Emails on using % and ! as the domain separator should
work ?
Best Regards,
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Eduardo Augusto Alvarenga - Analista de Suporte - #179653
Blumenau - Santa Catarina. Tel. (47) 9102-3303
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
/"\
\ / Campanha da Fita ASCII - Contra Mail HTML
X ASCII Ribbon Campaign - Against HTML Mail
/ \
