[Mimedefang] Pre-Emptive Greylist entries

Paul Murphy pjm at ousekjarr.org
Tue Jan 10 11:58:32 EST 2006 

> Others have mentioned possible problems with this approach.  I'll add
> one more: viruses.  If one of the client PC's on your network gets hit
> with a virus then it may try to send mail to every address in the user's
> address book; presumably many of those addresses will be for clients.
> You might catch many of those virus initiated e-mails via a virus scanner.
> However, many installations don't scan outgoing messages for viruses
> (we don't), so they won't be caught in this fashion.

Most viruses now have their own SMTP code included, and so will bypass your
outbound mail server.  Only your outbound servers should be allowed to make
contact with external systems on TCP port 25, so your firewall policy has to
be co-ordinated as well.

> Q: As a matter of best practice should we be scanning outgoing messages
> for viruses, and rejecting them?

Definitely, as the cost of even one getting out is much higher than the cost
of scanning all outbound messages as well as all inbound.  Your reputation
will be zero.

_IF_ you can guarantee that your desktop and server A/V solutions are 100%
effective 100% of the time, then you can skip scanning outbound mails.  To
date, there is no such A/V system - signature updates lag behind virus
releases, and you may get caught out.

> 2. Something I've toyed with: _if_ the sending relay supports SPF and
>    the SPF validates - accept the mail unconditiionally and 
> don't greylist it.

It is rapidly becoming the case that SPF validation is a higher-than-average
sign of SPAM, since the spammers have more of an incentive to get it right
than the rest of the world.  Don't rely on it, and certainly don't bypass
greylisting because of it.  Effectively, you are trusting someone else's DNS
records when determining whether your policy can be bypassed.

>    You might need to run another milter for validation, or 
> adapt some Perl
>    code to the task.  There may be other validation methods 
> (HABEAS, etc)
>    that work here.

For HABEAS, see SPF above.

> To catch some of the cases where a spammer hijack's a legitimate user's PC,
> and sends mail as that user (haven't seen this, except for viruses, but it
> seems possible), 

Highly likely, in fact.  Once greylisting becomes universal, this will be the
chosen method of attack for botnets.

> perhaps it is a good idea to _always_ 
> tempfail messages with many recipient addresses?

Much of the SPAM I see has only one recipient. Tempfail all of them on first
contact, and let your greylisting implementation sort out the real
systems/senders for you.

Best Wishes,

Paul.

-- 
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.371 / Virus Database: 267.14.16/225 - Release Date: 09/01/2006

More information about the MIMEDefang mailing list