On 02/09, Kris Deugau wrote: > I'm still not seeing the whole picture; maybe you can explain the > difference between these two cases: > > 1) Legitimate sender, uses the NAT machine as the legitimate, designated
> (10.0.0.2) with a certain rDNS (exchange.smallbusiness.com). > 2) Spam, from an infected machine on the same LAN, either via relay > (10.0.0.2) with a certain rDNS (exchange.smallbusiness.com). The IP is sending spam, so it gets blacklisted (by a blacklist of domains which have MTX records for spamming IPs). > Obviously I've missed *something* about what you've been trying to > describe, but I haven't seen any indication that you're working with > **ANYTHING** other than the PTR record Yes. > for the (apparent) originating IP Nothing apparent about it. The delivering IP (last untrusted relay) is the only thing in an email that can't be forged. > (which, for a small business on a single static-IP connection, may or > may not even have anything to do with the business's own domain(s) at > all), Indeed, so they would need to get whoever is delegated the authority to provide PTR records for that IP to create the necessary records. Two options where smallbusiness.com doesn't have the ability to define its own PTR records. For example, the PTR record is defined by isp.com. 1) isp.com sets the PTR record to exchange.smallbusiness.isp.com, and creates the MTX record for it (2.0.0.10.mtx.smallbusiness.isp.com with a value of 127.0.0.1). If 10.0.0.2 sends spam, isp.com gets blacklisted. 2) isp.com sets the PTR record to exchange.smallbusiness.com, and smallbusiness.com creates their own MTX record (2.0.0.10.mtx.smallbusiness.com = 127.0.0.1). If 10.0.0.2 sends spam, smallbusiness.com gets blacklisted. > and some arbitrary (sub^n)domain A record based on the PTR. Yes. That's all. What format should this arbitrary A record be? > About all your scheme seems to do is identify IPs which may emit > legitimate email, generally; it's certainly nothing I'd score at > anything more than an advisory -0.001 in SA. Of course, unless you use a blacklist of domains which have MTX records for spamming domains. > Consider the case of a legitimate ISP's outbound relay - most of the > mail is perfectly legitimate, but sooner or later *someone* on an IP > controlled by that ISP (and therefore allowed to relay through that > outbound relay host) will have their machine infected or someone with an > account with that ISP will have their password stolen, and then that > infected machine will spew out junk via the relay, or a machine > somewhere else will use that stolen password to send SMTP AUTH mail > through that relay.... > > We regularly see both of those cases here (medium-sided ISP). It's an issue of blacklisting. What is involved in keeping your ISP off of IP blacklists? > The more I think about it and the more I read of what you're describing, > the more most of it seems like a reasonable component of any blacklist > operation, not a whole FUSSP[1] in its own right. > > [1] http://www.claws-and-paws.com/fussp.html, among other references I have been directed to that url frequently in the last few days :) -- "For every complex problem, there is a solution that is simple, neat, and wrong." - H. L. Mencken http://www.ChaosReigns.com
