Subject: Re: Sendmail and anti-spam
To: John Nemeth <jnemeth@cue.bc.ca>
From: Andrew Brown <atatat@atatdot.net>
List: tech-userlevel
Date: 02/28/1999 23:50:30
>} i recommend a configuration where the mc file contains
>}
>} FEATURE(relay_based_on_MX)
>
> This is a very bad idea. Since anybody can create an MX record
>for their domain that points at your mail server, it would open you up
>to uncontrolled relaying.
no...it would require them to poison your name server with mx records
that point to the domains they wish to spam. so, for aol, they'd have
to spoof an answer to my name server that said i was a redundant mx
host for aol.com. tricky at best. and usually much beyond the
abilities of lame-brained spammers, even with "5|<r1pt |<1dd13" tools.
see sendmail-9.8.3/cf/README:
relay_based_on_MX
Turns on the ability to allow relaying based on the MX
records of the host portion of an incoming recipient; that
is, if an MX record for host foo.com points to your site,
you will accept and relay mail addressed to foo.com. See
description below for more information before using this
feature. Also, see the KNOWNBUGS entry regarding bestmx
map lookups.
the known bugs thing refers to the mx list being truncated. so there,
i'd only lose some of the mx records. but if someone is using that
many mx records (or just really long names) and listing me in one of
them, then they can afford to lose me as a relay.
yes, they could set up an mx record that listed me as a redundant mx
host for the domain (singular) that they wanted to spam, if they had
control of the name server in question. but then they'd only be able
to spam themselves. either that, or they'd be open to computer
trespassing charges for breaking into the name servers for the domain
they were spamming. that's another step they haven't (yet) taken.
>} since that will allow the least amount of reconfiguration for most
>} people. without that, all the domains for which your host is a
>} secondary (or other) mx host for a zone will have to have all those
>} zones listed in its /etc/mail/relay-domains file. which is a pain.
>
> It's also the only way to prevent your server from being used for
>uncontrolled relaying.
yes, but it's incredibly tedious. and it adds yet another possible
"point of failure" when setting mail and dns service for someone.
this is yet another place where something needs to be changed/added.
for example: given the number of mx records out there that list
mail.uu.net as a redundant mx host, i wonder if uunet will *ever*
close down that relay point. :)
--
|-----< "CODE WARRIOR" >-----|
codewarrior@daemon.org * "ah! i see you have the internet
twofsonet@graffiti.com (Andrew Brown) that goes *ping*!"
andrew@crossbar.com * "information is power -- share the wealth."