Re: Sites that block dynamic/dialups

From: D. Stussy (kd6lvw_at_bde-arc.ampr.org)
Date: 11/24/03

• Next message: Ruben: "Re: Can't get D-Link DFE-690TXD card to work w/ linux"
• Previous message: Menno Duursma: "Re: TFTP in Slackware-9.1 not working?"
• In reply to: Rob van der Putten: "Re: Sites that block dynamic/dialups"
• Next in thread: Rob van der Putten: "Re: Sites that block dynamic/dialups"
• Reply: Rob van der Putten: "Re: Sites that block dynamic/dialups"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

---

Date: Mon, 24 Nov 2003 13:35:10 GMT

On Sat, 22 Nov 2003, Rob van der Putten wrote:
> "D. Stussy" wrote:
> > ...And how does this work when a domain has an assymetrical mail handling system
> > - i.e. dedicated INBOUND and OUTBOUND services on different machines? An
> > outbound server would be connecting to you, but since it has no inbound mail
> > service (accessible from the Internet at large; just the internal dial-up
> > network), there's nothing to connect to. Some larger ISPs follow this model.
> > This could also be true if the message is being relayed - and the relay paths
> > are different for inbound and outbound mail handling.
> >
> > Now, if you meant to say that the verification connection would be to ANY server
> > pointed to by an MX record of that domain (or the host possessing the A record
> > if no MX records are present), that could still work in the assymetrical model.
> > However, relays that do not validate the username portion of the mailbox (but
> > merely "store and forward") will accept ANYTHING there, so I don't see how that
> > validates the mailbox. At best, it validates only that the domain is reachable.
>
> It uses the MX.

OK, but that isn't what you initially said.... You were going to use the IP of
the incoming connection. [Looks like you found you had to change that.]

> In my experience, systems that first accept the mail and then reject it
> are quite rare.

Being rare doesn't mean that you can ignore that case.

> You can detect such systems by testing a random address, such as a
> string based on epoch. The result of such tests can be cached.

Now you're increasing your overhead by doing a second test....

> > There may be other cases where this breaks also, such as autogenerated mail from
> > various non-mail servers - e.g. my ISP sends me an e-mail when someone signs my
> > web site guestbook. One can't generally e-mail back a service such as that.
>
> Such from addresses should have an alias. So should all system users.

And if those administrators (who need not be mail server admins) choose NOT to?

> > Why not fatal DNS errors ("NXDOMAIN") being fatal, and transient DNS errors
> > being transient?
>
> Sounds logical.
> I'll look into this.
>
> > And a reject isn't? All rejects of any relayed message cause bounces. You
> > don't necessarily know that a message has been relayed previously (depends on
> > when your system issues the reject - before or after the "DATA" subcommand, and
> > if after, how many "credible" Received: headers there have been). The only time
> > a reject doesn't cause a bounce is when the connection is between the e-mail
> > authoring client program and the [first] server. However, as the recipient
> > system, you don't control that. Granted, you issue a reject and some other
> > system not yours generates the bounce, but there's still a bounce. A spammer
> > isn't going to connect his client directly to your server, because that allows
> > you to read the IP address he's using at the time and therefore trace him.
>
> A sending MTA might impose restrictions on the the envelope from being
> used, in which case a false from would have to be in the same domain.
> It may also impose restrictions on the combination of origin host and
> destination address. In fact, without that, it acts as an open relay.

I don't see how that equates to an open relay. By operation, ISP's relays are
at a minimum CLOSED relays for their own customers, and it seems to me that your
above comments are true for EITHER type of relay.

---

• Next message: Ruben: "Re: Can't get D-Link DFE-690TXD card to work w/ linux"
• Previous message: Menno Duursma: "Re: TFTP in Slackware-9.1 not working?"
• In reply to: Rob van der Putten: "Re: Sites that block dynamic/dialups"
• Next in thread: Rob van der Putten: "Re: Sites that block dynamic/dialups"
• Reply: Rob van der Putten: "Re: Sites that block dynamic/dialups"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

---

Relevant Pages RE: Getting many 7004 Event IDs on Exchange 2003 FE server ... connection to fail. ... The FE server failed to relay message through the host "80.237.132.137". ... (microsoft.public.exchange.admin) Re: Sites that block dynamic/dialups ... > outbound server would be connecting to you, but since it has no inbound mail ... if you meant to say that the verification connection would be to ANY server ... (comp.os.linux.networking) Re: Spam sent from outside to our internal users, from our internal users addresses!!! E2k ... > I don't usually allow anyone or anything to relay through the Exchange ... > server - if there's a specific machine on the network that needs it, ... > their own ISP's SMTP server to send outbound mail. ... and sending inbound mail to your domain. ... (microsoft.public.exchange.admin) Re: queues problem Please help ASAP ... >> DNS query for internal DNS ... >>configure relay to be blocked from open relay ... >>The remote server did not respond to a connection attempt. ... > server to use the AD to verify the address on the inbound mail is ... (microsoft.public.exchange.admin) Re: Bunch of SMTP connectors - why ? ... That probably isn't checking for authenticated relay - and if you're seeing ... server somewhere that's sending mail to your server. ... Leave the connection settings as they ... (microsoft.public.exchange.admin)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(16)