[Mimedefang] Including archetypal filters to include in release?
Kevin A. McGrail
kmcgrail at pccc.com
Tue Jan 10 23:41:10 EST 2006
> (A) can be defeated by making the code aware of NAV being installed...
> Or it can be commented out.
I'm talking about end-users with NAV installed on their PCs.
> (B) That's not a restriction of Windows, I believe. That's a limitation
> of certain Windows UA's. I'm working on a patch to Thunderbird, that
> should work on XP as well.
Yes, I was implying the MUA. I don't see it chaning in Outlook/OE anytime
soon so while it's nice that there is a thunderbird fix for the issue, the
reality for me is that I believe this check will have hideously high FPs.
> I believe that if you aren't using Microsoft networking and/or Active
> Directories, then you can set the computer name to an arbitrary string,
> including dots...
I can't argue this but again would see it as irrelevant. The percentage of
people using Microsoft networks and AD is again a reality that would produce
too many FPs. I'm testing with this as you could see from my rules but have
not been impressed so far with the results.
> If you're behind a firewall or you're NATting, then you're only going to
> generate a bad address in the HELO in an outgoing transaction.
>
> If you're sending out email, then you need to generate a name by which
> you're reachable... i.e. a domain name, not an IP address (which will
> have only local significance).
I'm not arguing proper setup, just what I've seen and why I've excluded
certain cases.
>> if ($helo =~ /^\[?(localhost|127.0.0.1)\]?$/i && $ip ne '127.0.0.1') {
>
>
> Why would localhost be bracketed?
Because ratware and spammers aren't known for their RFC Compliance ;-)
> Why testing for $ip ne '127.0.0.1' again here? Maybe these two tests
> should be bracketed by this, or else do early acceptance of sessions
> from that address?
Because I am gathering statistics and looking at tunnelled usage as well on
each individual test.
>> if ($helo =~ /^friend$/) {
>
> Hmmm.... Any identifier that isn't dotted would seem to be bogus
> (unless you want to make an exception for localhost). I've seen other
> hosts say "HELO xyzzy", etc.
friend has been particularly abused. I haven't seen the same trend because
as I said above, I see perfectly legit traffic using HELO
microsoftnetworkname and I haven't figured out a way to reduce the FPs.
Regards,
KAM
More information about the MIMEDefang
mailing list