Mailing List Archive

Support open source code!

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: tlug: External DNS woes

>>>>> "wile y" == Chris Sekiya <sekiya@example.com> writes:

    wile y> On Thu, May 11, 2000 at 01:40:10PM +0900, Stephen
    wile y> J. Turnbull wrote:
    >> I'm having trouble with mail being intermittently refused from
    >> various sites because "Sender domain must exist."

    wile y> ... basic anti-spam measures added during the 8.9.x era
    wile y> check the SMTP envelope from: address.  If it doesn't

Right check for the wrong reason; it's not going to filter much real
spam (a quick check shows that 96% of the senders and return-paths out
of 732 messages in my "abuse" folder have valid but often presumably
forged domains), compared to the number of legitimate senders who will
get hosed.  I suppose it probably worked for a while until the
spammers caught up, though.

    wile y> resolve, it fails the test.  If you're behind a firewall,
    wile y> sending from a machine that doesn't have a lookup, it's
    wile y> going to fail.

Oh, we don't have a firewall; DNS, SMTP, FTP, HTTP, HTTPS, WAIS,
GOPHER, NNTP, POP3, and IMAP are all allowed through.  As well as SSH.
It's just incoming ICMP, UDP (except destination dns), and TCP (almost
all destinations) that's stopped.  Oh yeah, in/out spoofing will be
dropped on the floor, too (sensible, that).  I guess RPC, Telnet, and
RSH are more dangerous than average, but all of the usual complex
servers with problematic security are permitted without supervision,
as well as pretty much anything outgoing except X11 (including Tribe
Flood Networks, if you can somehow subvert a host or 438 on the inside
and set up an ssh tunnel or phone line to communicate over :-P).

My guess is that there were probably scores of subverted machines
inside the packet filter when it was established, and only the very
dumbest script kiddies haven't figured out how to reestablish contact
with their slaves by now.

    wile y> This is fixed by adding the following to your .mc:

Uh, I don't have no steenkin' .mc.  :-)  Steve Baur figured it out;
the serial number of the SOA is out of synch.  Bleah....  But although
my local admins often lack a clue or two, they rarely get upset when
asked to fix things.



    wile y> ... so, no matter how badly your network admins botch
    wile y> things, mail should still go through ...

Chris, they're (University level) talking about sending all SMTP
traffic through relays and "filtering" it for mail bombs (which they
think are the same thing as spam).  Given that the external gateway
goes down an average of twice a month for, uh, "unscheduled
maintenance", I don't trust them to be able to keep a relay host
running 24x7.

-- 
University of Tsukuba                Tennodai 1-1-1 Tsukuba 305-8573 JAPAN
Institute of Policy and Planning Sciences       Tel/fax: +81 (298) 53-5091
_________________  _________________  _________________  _________________
What are those straight lines for?  "XEmacs rules."
--------------------------------------------------------------------
Next Technical Meeting: May 13 (Sat) 13:30 Temple University Japan
* Topic: Crypto and Security	Speaker: Chris Sekiya
Next Nomikai Meeting: June 16 (Fri), Tengu TokyoEkiMae.
--------------------------------------------------------------------
more info: http://www.tlug.gr.jp        Sponsor: Global Online Japan
Home | Main Index | Thread Index

Home Page Mailing List Linux and Japan TLUG Members Links