Re: Is predictable spam filtering a vulnerability?

From: The Fungi (fungi_at_yuggoth.org)
Date: 06/24/04

Next message: Matt Zimmerman: "[SECURITY] [DSA 525-1] New apache packages fix buffer overflow in mod_proxy"

Previous message: Thierry Carrez: "[ GLSA 200406-20 ] FreeS/WAN, Openswan, strongSwan: Vulnerabilities in certificate handling"
In reply to: Sean Straw / PSE: "Re: Is predictable spam filtering a vulnerability?"
Next in thread: Valdis.Kletnieks_at_vt.edu: "Re: Is predictable spam filtering a vulnerability?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Thu, 24 Jun 2004 19:42:56 +0000
To: bugtraq@securityfocus.com

On Wed, Jun 23, 2004 at 10:07:31AM -0700, Sean Straw / PSE wrote:
[...]
> If the envelope sender is faked, then rejecting the message at SMTP time
> (say, due to a DNSBL check) will result in an NDN directed at that faked
> address anyway, excepting when the sending mail host is really a zombie PC
> or spamware to begin with, in which case it'd be dropping the NDNs into the
> ether. The chief difference is that with an SMTP time rejection, YOUR mail
> server doesn't _deliver_ anything - the server which was attempting to
> deliver the message to you would be responsible for delivering the bounce
> based on your SMTP replies during the transaction.
[...]

We get around this problem at work by performing recipient address
verification on our primaries and using cached call-forward
recipient verification on our secondaries. When a secondary server
receives a message destined for an address it hasn't seen recently,
it will try to reach the primary and find out if the address will
accept mail before returning either 250 or 550 to the sender. If it
can't contact the destination immediately, it will elect to defer
the message like a secondary would normally. This is all done using
the "callout" feature in Exim v4. The only time this has become an
issue for us is when our primary is under a denial of service from
an incoming spam flood or is otherwise offline, in which case the
secondary still has to try (in vain usully) to send NDRs to the
spammers afterward. Of course, we are not employing any spam
filtering that results in NDRs or rejection of messages (we filter
them into separate mailboxes), so this has not been an issue for us.

-- 
{ IRL(Jeremy_Stanley); PGP(9E8DFF2E4F5995F8FEADDC5829ABF7441FB84657);
SMTP(fungi@yuggoth.org); IRC(fungi@irc.yuggoth.org#ccl); ICQ(114362511);
AIM(dreadazathoth); YAHOO(crawlingchaoslabs); FINGER(fungi@yuggoth.org);
MUD(Nergel@srmud.net:2325); WWW(http://fungi.yuggoth.org/); }

Next message: Matt Zimmerman: "[SECURITY] [DSA 525-1] New apache packages fix buffer overflow in mod_proxy"

Previous message: Thierry Carrez: "[ GLSA 200406-20 ] FreeS/WAN, Openswan, strongSwan: Vulnerabilities in certificate handling"
In reply to: Sean Straw / PSE: "Re: Is predictable spam filtering a vulnerability?"
Next in thread: Valdis.Kletnieks_at_vt.edu: "Re: Is predictable spam filtering a vulnerability?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]