On 9/2/2014 4:59 AM, Reindl Harald wrote:
Am 02.09.2014 um 13:54 schrieb Reindl Harald:
Am 02.09.2014 um 13:43 schrieb Ted Mittelstaedt:
as explained above:
* the users don't want to see clear spam at all
* in many countries *you must* reject before-queue
* frankly, where i live for drop a accepted messages
you can go up to 2 years *in jail*
This is really getting silly
yes, your response
Once you accept DATA on the SMTP handshake so you can
read the Subject: line you have accepted the message
whether you queue it or not.
bullshit - the is a "END-OF-DATA" response in the SMTP
protocol and if what you say would be true even a basic
postfix reject on headers would not work
the prerequisite to discuss about high level MTA
technology is that you understand basics but you
even fail to distinct between data and headers
nor do you realize how a SMTP session works
just get a proper MTA, enable debug logging
and watch the commands / responses between
client and server due a message transmission
and to make it clear for you:
until after end of data itslef is responded with success
the message is *undelivered* and tried again from the
sendig client if it is a proper MTA
However you have GIVEN THE SPAMMER AN OK that they have a
valid victim address. You had to issue an OK to the
RCPT TO: to get that DATA from them. You just told them "you
got a good email address"
if your MTA *don't repsond with success* at END-OF-DATA
the message implicit is counted as *not delivered* because
simply in the middle of data the server could raised
an error by a full disk or something else
Yes and the spammer just tries again. And again. And again,
forever and forever.
The point of blocking on DNS or IP based blocking is to issue
that error 5xx because that is the ONLY thing that is going to
cause the spammer to delist. Because at that point they are
now wasting money and time and resources attempting to deliver
to an address that probably does not exist.
Sure they can parse the return code, looking for polite language
saying something to the effect "this email is being blocked because
you are on Wonkulating Gronkluator's blacklist" that some sites
issue to "help" newbie Postmasters realize that their mailserver
is being hijacked, or something of that nature.
But they GUESS so many of their victim addresses that they
can't spend the resources doing that on a dictionary attack,
they KNOW that 99.99% of the error 5xx's they get back are
for User Unknown. So the few times they guess a real address
and get that polite human-readable explanation that they are
on a blacklist, gets lost in the noise.
But YOUR setup - why that's spam flypaper. Because, YOU are
NOT issuing an error 5xx on a sender IP that happens
to guess one of your users email addresses - because your just
too curious to get at the DATA and inspect the Subject: line.
Thus you are HELPING the spammers build a list of valid email
addresses on your domain.
No wonder you have such spectacular spam counts. The spammers
must just love you. Your handing them over your user email
list. Sure, you may determine they are operating from a blacklist
and shut them down after they throw you 1,000 guesses from an IP
address. But in so doing you have handed them 10 good addresses that
they will remember and just attack you from somewhere else from.
Do that a couple hundred times and they have thousands of your
valid emails.
so the communication looks somehow like:
* client: i am sending now data
* server: fine, do so
* client: sending data
* client: i have finished with sending data
* server: ok, i accepted that
* client: fine, QUIT
* client: closes the connection AFETR QUIT
Here is how yours looks:
Spammer: HELO throwawayhostname.throwawaydomainname.TLD like .eu or .co
you: OK I did my DNS check, my RBL check, my PTR check and that's a
good host so go ahead
Spammer: MAIL FROM: <faken...@throwawayhostname.throwawaydomainname.tld)
You: OK
Spammer: RCPT TO <usernameofyoursthatijustgues...@oneofyourdomains.com>
You: OK looks good but I want to see your content, so start sending
Spammer to itself HOT DAM I GOT ANOTHER VALID EMAIL ADDRESS TO TORTURE
FOREVER
Spammer to you: DATA, blah blah blah, Subject: Viakkagra
blah
blah
blah
you: OK your content says your a spammer so I'm going to blow the
TCP connection and not send a final OK
Spammer to itself SUCKER!!!! IF HE THINKS I'LL FALL FOR THAT HE'S
DUMBER THAN A POST! I'LL JUST ATTACK FROM SOMEWHERE ELSE USING
DIFFERENT CONTENT UNTIL I GET PAST HIS BLOCK.
And here is how it SHOULD look:
Spammer: HELO throwawayhostname.throwawaydomainname.TLD like .eu or .co
you: OK
Spammer: MAIL FROM: <faken...@throwawayhostname.throwawaydomainname.tld)
you: OK
Spammer: RCPT TO: <usernameofyoursthatijustgues...@oneofyourdomains.com>
You to yourself: Hmm - looks like my user has a blacklist against .co
so this guy is unwanted
You to spammer: 500 User Unknown
Spammer: DAMN, I guessed wrong. Toss that one and go on to the next guess.
Or even better:
Spammer: HELO throwawayhostname.throwawaydomainname.TLD like .eu or .co
you to yourself: We block mail from Russian federation Mafia
you to spammer: error 5xx go to hell, spammer. End TCP connection.
Spammer: WTF just happened???
Granted, this isn't how SA works but you have been talking about
prefiltering and this is how it should look.
Ted
so *please* refrain from reply and discuss about good
or bad defaults until you learned your *basic sessions*
