Possible aid in filtering spam

David Wolfskill david at catwhisker.org
Sun Oct 30 20:14:35 PST 2005


The externally-visible SMTP server I have at home is often fairly
maxed out -- it's a P-150 with 64 MB RAM, and it could use more CPU and
more memory, especially since I have all the MTA filtering done on the
same machine (while it also does packet-filtering, NAT, &
externally-visible DNS, too).

Thus, I have a certain incentive to try to do the less-expensive tests
earlier in the SMTP conversation.

This afternoon, I happened to be doing

	ps ax | grep sendm

a few times in succession while watching "top" and some logs; I noticed
that sendmail was reporting the status of various incoming SMTP
transactions by munging the command line that "ps" reports (as expected,
of course).

Then I saw one pop up that went from "startup" to "HELO" -- nothing odd
about that.  But then I saw that this conversation was being reported as
the client claiming to be "mx.catwhisker.org."

Now just waitaminute here....  The client is claiming the identity of
the server to which it's talking?  Excuse me?

I decided that HELO time would be a great point at which to reject this
sort of thing; after all, about the only thing that's testable that
comes before that in SMTP is "connect".

So I adjusted my filter to reject such things.

I then saw some machine say "HELO 63.192.123.122".  Ummm... no sale:
that's *my* IP address.  Added that to the filter, too.

I've added similar expressions to the filter for BayLISA, as well.

I'll grant that it says something (not too positive) about the Internet
when a postmaster can be pleased about how much mail his SMTP server
rejects, rather than how much is being passed along.  Still, this seems
like a fair amount of progress:  the bulk of the messages that are being
thus rejected appear to be being bounced off of SMTP clients in such
places as China and Vietnam -- and I'm already blocking several such
netblocks at "connect" time anyway.

I now expect to be informed of (allegedly) "legitimate" SMTP clients
that actually do this.  Hmmmm....

Peace,
david  (wearing some postmaster hat, I guess)
-- 
David H. Wolfskill				david at catwhisker.org
Prediction is difficult, especially if it involves the future. -- Niels Bohr

See http://www.catwhisker.org/~david/publickey.gpg for public key.



More information about the Baylisa mailing list