current-users: Re: SPAM Alert: Email Address Harvesting

Subject: Re: SPAM Alert: Email Address Harvesting
To: Richard Rauch <rkr@olib.org>
From: Flo <netbsd@wolfnode.de>
List: current-users
Date: 01/04/2004 23:59:03
Hm,

I tested with a 3 MB message with a "bad word" in the header. The mail 
gets identified
as "bad" immediately, but the transfer doesn't stop.

Jan  4 23:50:20 server postfix/smtpd[16313]: connect from 
mail.gmx.net[213.165.64.20]
Jan  4 23:50:21 server postfix/smtpd[16313]: 3CA6F1E998C: 
client=mail.gmx.net[213.165.64.20]
Jan  4 23:50:25 server postfix/cleanup[16315]: 3CA6F1E998C: reject: 
header Subject: online casino from mail.gmx.net[213.165.64.20]; 
from=<florian.stoehr@gmx.net> to=<flo@wolfnode.de> proto=SMTP 
helo=<mail.gmx.net>: Bah, go away!
Jan  4 23:51:09 server postfix/smtpd[16313]: disconnect from 
mail.gmx.net[213.165.64.20]

:-(

Bad, I thought it disconnects immediately when a header check matches.

Florian


Richard Rauch wrote:
> Certainly I get a lot of Sven worm attempts.  Like Flo, I have them filtered
> at the SMTP layer (along with all other DLL/PIF/etc. junk files).
> 
> But spam is more annoying if it gets through (and while zero Sven viruses
> get through to me, I do get occasional spam).
> 
> 
> Aside to Flo: Does that really stop the virus before it uses up your band-
>    width?  My impression is that the whole message is received before the
>    header checks are applied.  By that time, the biggest bandwidth hit has
>    already been taken.  Conforming SMTP has no way to break the transmission
>    during header transmission, as far as I know, since the whole message
>    (header and body) is sent in one DATA block.  Once you start to accept,
>    you can't shut the transmitter off.
> 
>    I've noticed that I usually get a double-take from Sven attempts.  One
>    has a GIF attachment (rejected) the other has a Microsoft file attach
>    of some kind (also rejected).  If I get more than one such pair from
>    a single IP, I am prone to tossing the IP into a local IPF blacklist.
>    "ipfstat -hin | grep -v ^0" suggests that that's doing a good job.
> 
>    It's a bit draconian, and has blocked at least one legitimate email.
>    But I got tired of seeing countless RBL lookups and lots of my
>    (limited) DSL bandwidth chewed up for Sven viruses.
> 
>    I'm keeping the Microsoft Worm related IPF rules separate, so that I can
>    eventually turn them off, when and if Sven becomes less of a problem.
>    (I intend to keep the list, however, as I will probably want to block
>    many of the same IP numbers for the next Microsoft virus.  (^&)
> 
>