Re: [fw-wiz] FWTK and smap/smapd

From: Rick Murphy (rmurphy@mitretek.org)
Date: 07/17/02


To: Devdas Bhagat <devdas@worldgatein.net>, firewall-wizards@honor.icsalabs.com
From: Rick Murphy <rmurphy@mitretek.org>
Date: Wed Jul 17 13:25:02 2002

At 08:51 PM 7/17/2002 +0530, Devdas Bhagat wrote:
>On 17/07/02 08:30 -0400, Rick Murphy wrote:
><snip>
> > The important part of using a patched smap is to provide anti-relay and
> > anti-spam capabilities. The spam-rejection capabilities are pretty broad -
> > there's things I can do to block spam with smap that qmail and postfix
> > can't do.
>Like? Examples, lots of them (or at least one).

OK.
Much of the spam I used to receive came from forged hotmail.com accounts.
Very little spam actually comes from hotmail, so I don't want to just block
them since there are some legitimate correspondents of mine that use their
mail (heck, I use a hotmail address sometimes when I'm on the road..)

Your mail server can detect the hotmail forgery by looking at the hostname
of the machine that's trying to deliver the mail to it - for hotmail, the
mail is going to come from a server in the hotmail.com or msn.com domain.
So, an ideal filter for hotmail forgery is to require the delivering server
to have a valid reverse DNS entry, and to require that reverse DNS to match
either hotmail.com or msn.com. With smap, I configure that with:

smap: verify-reverse hotmail.com:msn.com

I've a long list of similar domains that get this treatment.
The selectivity of this is very important - I don't want to require all
mail servers to have valid reverse DNS (or even *any* reverse DNS) -
requiring reverse DNS to match for all senders has too high a rejection
rate for me; allowing it to be selective (even in face of things like
hotmail coming from msn) is important.

>FWIW, Postfix by default can block based on connecting IP, sender (mail
>from:), recipient (rcpt to), regular expressions in the body/headers,

smap can do all of the above. I don't have the patch installed that allows
searching for RE's in the body, but a patch does exist.

>and if need be pass it on to a filtering program like
>Spamassassain/razor/procmail, and/or through an antivirus.
>With patches, it can do a lot more (rhsbl etc).

That's the real difference between smap/smapd and postfix - postfix is a
complete mail delivery agent. Smap isn't, and so relies on something else
(sendmail, postfix, etc.) for delivery. Personally, I think that's a real
advantage to postfix over smap - I use what I use mostly out of inertia.

And FWIW, I'm not talking about the network here at work - I use fwtk on my
home network.
         -Rick