On Thu, Dec 02, 2004 at 19:31:08 +0100, Andre Oppermann wrote: > Have a look at what I wrote on NANOG. It applies perfectly well to > Switzerland too. > > If all ISP's in Switzerland (or at least the large ones) would put MTAMARK > (default) records into their reverse zones we would have solved the entire > SMTP zombie problem. > > What do you think? > > You would put in a global wildcard that says no smtp sender here. Only > for those boxes being legitimate SMTP to outside senders you'd put in a > more specific record as shown above. You probably have to enter some dozen > to one hundred servers this way. Sure your reverse zone scripts need some > changes but it's only two or three lines.
Well, the only difference between this solution and a port-filter is that the remote site can decide if it wants to accept the client - which is a good thing! I'm about to list all the types of IP's I would mark as valid senders - static ip customers (leased lines and adsl with static IPs) - Our mailservers (primary and backup) That eliminates all the printers, routers, and other gadgets with an ip stack that don't send mail - it boils our /19 down to say 100 hosts. So far so good! But I don't see how this will stop smtp-zombies, thoses thousends of other IPs in our network never had and never will send you any mail and IP Spoofing is rather out of the question in this case. If one of our leased line customers gets the newest worm he'll still bang your MTA with it, if you are lucky he uses our primary MX where the messages gets silently discarded.... but most of our customers don't use our MTA if they have a static IP. IMHO MTAMARK hasn't helped you a bit in this scenario - IIRC spamhaus has an RBL for worm/virii senders, which seems to me a rather better solution. The real problem I see on the long run is, that you can't decide what to do based on the IP. Assume a "big" ISP is enforcing their users to use his MTA - this MTA conforms to any RFC you can think of, it would even have an MTAMARK. Maybe even SPF, but lousy implemented. What do you do if you receive massive junk from there, blocking a major ISP of Switzerland? You end up finding some nice filtering technique (so you read all the crap mails, try to find some pattern, hoping it would not filter any legimate mails) OR sending abuse@ a nice complaint and hope something changes. My expirence is, that people start running when the get listed in spamcop - AFAIK some "big" IPSs use this list, so you notice rather quickly when you got listed - but I'm not sure if spamcop also whitelists the "big" ones which would be rather sad. IMHO the best thing would be if you would know that the sender is not faked, that he/she was verified by the sending host - so you could block the offending sender. SPF does exactly that, the only thing left is "local forgery" - but that is rather a problem that has to be solved by the remote ISP, that did no or weak ASMTP. my 2c Philipp _______________________________________________ swinog mailing list [EMAIL PROTECTED] http://lists.init7.net/cgi-bin/mailman/listinfo/swinog
