Size availability at MAIL FROM state

Hello list,

I have a small project called ACL Policy Daemon[1]. With my policy
daemon you can create Squid-like ACLs.

There is an ACL named 'size' and it is evaluated only if the protocol
state is end-of-data. A user questioned me if it would be possible to
reduce this requirement to the MAIL FROM procotol state. Well, first I
said:  "Yes we can, but as far as I know most clients do not use the
MAIL FROM: <> SIZE=123 syntax, so most of the time the ACL will be
useless since the information is not available yet."

I decided to take a second look on this issue, and I was surprised by
the results. I was wondering: "Do legit servers specify the size of a
message or not?"

I collected the information in 4 days, from May 8 to 12. The volume is
not huge, but I think it gives a hint.

148.847 clients connected to my server were listed on zen.spamhaus.org
22.105 listed in zen.spamhaus.org clients passed the greylisting

From these 22.105 clients blacklisted that passed the greylisting,
21.766 did not inform the 'size' and 21.626 used SMTP.

There were 8.328 messages passed, where clients were not blacklisted
and 7.651 of these had 'size' available and used ESMTP.

This give a 91.87% of availability of the 'size' parameter just
considering clients not blacklisted on zen.spamhaus.org.

Obviously, there is another approach that is to check if this value is
really correct, but for me this makes checking the size of a message,
after all possible SMTP restrictions available before receiving the
data command somewhat tangible.

Do you guys have any thoughts to share about this?

Regards,

Miguel

[1] http://www.apolicy.org

On Mon, May 12, 2008 at 02:17:23PM -0300, Miguel Filho wrote:

SIZE is widely implemented, and most legitimate mail servers will send a
reasonably accurate SIZE at MAIL FROM. You can't trust this SIZE value,
but you can expect it to be more often correct than not.

--
        Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:[hidden email]?body=unsubscribe%20postfix-users>

If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

On Mon, May 12, 2008 at 2:44 PM, Victor Duchovni
<[hidden email]> wrote:
>
>  SIZE is widely implemented, and most legitimate mail servers will send a
>  reasonably accurate SIZE at MAIL FROM. You can't trust this SIZE value,
>  but you can expect it to be more often correct than not.

I'm seriously considering the protocol used by a client as an
indicator of a spam. I'm trying to be more selective when greylisting,
so if a client is using ESMTP and is not listed on a blacklist there
is a good chance that the message is legit.

I randomly looked at some spam messages of gmail account and all of
them were delivered using SMTP e not ESMTP.

Miguel

>I'm seriously considering the protocol used by a client as an
>indicator of a spam. I'm trying to be more selective when greylisting,
>so if a client is using ESMTP and is not listed on a blacklist there
>is a good chance that the message is legit.
>
>I randomly looked at some spam messages of gmail account and all of
>them were delivered using SMTP e not ESMTP.

Really bad idea.  Spammers may move to ESMTP at any time, thus nullifying
the benefit, and by labeling SMTP transactions as spam, you effectively
blacklist legitimate senders.

Is SMTP officially deprecated?

HAKNER J wrote:
My understanding is that this is a heuristic.

> and by labeling SMTP transactions as spam, you effectively
> blacklist legitimate senders.
>  

He doesn't want to blacklist. he wants to be more "selective when
greylisting".
> Is SMTP officially deprecated?
>  

In practice, you shouldn't see a lot of "old smtp" transactions from
real MTAs.