Hello,
I just got this email from ordb.org saying that we have been added to their blacklist for some stupid reason. We have never been an open relay and are very much anti-spam and anti-spammer. We are not an open relay and are running the newest development/beta version of SIMS. I need someone to tell me why the hell we failed their test and how to fix it.
The URL provided with details shows that this was a multi-hop: the tester submitted the mail to a SIMS machine calling itself lists.3-rivers.com, with an unusual target address that had embedded routing telling the mail server to route the message through the host 3-rivers.com:
Received: from lists.3-rivers.com ([63.95.200.2] verified)
by 3-rivers.com (Stalker SMTP Server 1.8b9d14)
with ESMTP id S.0000698793 for ; Tue, 17 Dec 2002 22:13:37 -0800
Received: from [212.242.88.3] (HELO localhost.localdomain)
by lists.3-rivers.com (Stalker SMTP Server 1.8b9d14)
with ESMTP id S.0000072427 for <@3-rivers.com:[EMAIL PROTECTED]>; Tue, 17 Dec 2002 22:16:28 -0800
The solution is to make this impossible. There are many ways to do that, but without knowing how you are using those 2 machines, I can't say what will work for you. The basic problem is that 'lists' is happy to accept and pass along any mail aimed at what it perceives as a '3-rivers.com' address and '3-rivers.com' trusts anything 'lists' hands it for relaying.
FWIW, the log you provided lacks the necessary detail to figure this out. You'd need the SMTP and SYSTEM/ROUTER messages down to level 5 to see this definitively, absent the ORDB evidence. The lines relevasnt to the successful test were:
22:16:27 3 SMTP-015(localhost.localdomain) Failed to verify. Real address is [212.242.88.3:4214]
22:16:28 2 SMTP-015([212.242.88.3]) {S.0000072427} received, 1030 bytes
22:16:28 2 SYSTEM [S.0000072427] S.0000072427 1+0 From:[EMAIL PROTECTED]
22:16:29 2 SMTP-028(3-rivers.com) [S.0000072427] sent, 916 bytes
22:16:29 2 SYSTEM(SMTP) [S.0000072427] sent to (3-rivers.com)marvin%marvin.ordb.org
22:16:29 2 SYSTEM [S.0000072427] deleted
In the end, this may not be such a bad thing. It looks like 'lists' (63.95.200.2) is the ORDB-listed machine, not '3-rivers.com' (63.95.200.5) so unless 'lists' is talking to external machines you should never have a rejection problem, and I have never seen any example of spammers actually using this technique, so you may never have a spam relaying problem. Essentially, a spammer has to guess at the configuration of your network (i.e. know about both machines and their names) and construct a target address for each recipient using the '@3-rivers.com:' routed address trick. That's too much fancy work given the universe of single-hop and trivial multi-hop relays out there.
I suspect that the best solution is to make 'lists' inaccessible directly from the outside world, or make it refuse to deliver mail that isn't local, even if it has a 3-rivers.com address. Exactly how to do this really depends on what the intended use and relationship between the 2 machines is.
--
Bill Cole [EMAIL PROTECTED]
#############################################################
This message is sent to you because you are subscribed to
the mailing list <[EMAIL PROTECTED]>.
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to <[EMAIL PROTECTED]>
