| sean finney on 29 Apr 2004 19:03:04 -0000 |
|
On Thu, Apr 29, 2004 at 11:34:30AM -0400, Kevin Brosius wrote: > Received: from unknown (HELO default.in.icenetworld.com) > (203.195.203.130) > by mail.netisland.net with SMTP; 29 Apr 2004 14:13:16 -0000 > > I've never seen mail from 'icenetworld.com' that I would consider valid > from gr. Or maybe he's got a new domain. A quick lookup on it ought to > tell you though. note that just as From: headers can be forged, so can Recieved: headers, and even so can the information put in the Recieved: header by your own mail server. if you trust the line itself (if it were put in by your mail server), than you can with some certainty trust the ip address in question, but the hostname in HELO could be anything. anything past the first Recieved: that you don't administer could be forged. > > This brings me this same problem I have on one of the lists I maintain > > with mailman. When they spoof the e-mail address, how would you block > > the IP address ranges being used by the spammers/compromised boxes? dynamic realtime blackhole lists. preferably in spamassassin rather than the mta itself, because the former is a tad draconian. On Thu, Apr 29, 2004 at 12:28:51PM -0400, John Lavin wrote: > I would think that it would be useful in mailman to be able to discard > by ip address. It can discard by e-mail, but then you'd be banning the > spoofed e-mail, not the spammer. you want to manually maintain that by ip address? have fun :) seriously though, that's exactly what rbl's are designed to do. they're not always able to catch everything, and there is the risk of false positives (which is why i'm against it at the mta level), but a well thought out scheme using multiple distinct rbl services is highly effective at catching the bulk of spam out there. sean Attachment:
signature.asc
|
|