Hi John, At 08:54 01-12-2004, John Hardin wrote:
Interesting idea. It sounds a little heavy to be doing for every inbound message, though, and it assumes that you're letting fingerprinting traffic out of your network - I, for example, block all NetBIOS and similar ports at my boundary, so fingerprinting wouldn't be useful.
It is not so heavy when applied to inbound connections. Your connection can still be fingerprinted even if you block all NetBIOS and similar ports. Scam-grey does that http://www.elandsys.com/scam/
However, this sounds like it might be useful in Spamassassin: attempt to contact the sender on port 25, and add a little to the spamminess score if the connection is refused or times out.
There are some well-known domains that have SMTP outgoing-only servers. The scoring would affect them more than the "spammy" senders.
It might also be useful to try connecting to the backdoor ports for the better-known spam worms and add a few points if the connection succeeds.
That would be too much overhead if it is done in realtime.
Regards,
-sm
