Hello list,
I have a small project called ACL Policy Daemon[1]. With my policy daemon you can create Squid-like ACLs. There is an ACL named 'size' and it is evaluated only if the protocol state is end-of-data. A user questioned me if it would be possible to reduce this requirement to the MAIL FROM procotol state. Well, first I said: "Yes we can, but as far as I know most clients do not use the MAIL FROM: <> SIZE=123 syntax, so most of the time the ACL will be useless since the information is not available yet." I decided to take a second look on this issue, and I was surprised by the results. I was wondering: "Do legit servers specify the size of a message or not?" I collected the information in 4 days, from May 8 to 12. The volume is not huge, but I think it gives a hint. 148.847 clients connected to my server were listed on zen.spamhaus.org 22.105 listed in zen.spamhaus.org clients passed the greylisting From these 22.105 clients blacklisted that passed the greylisting, 21.766 did not inform the 'size' and 21.626 used SMTP. There were 8.328 messages passed, where clients were not blacklisted and 7.651 of these had 'size' available and used ESMTP. This give a 91.87% of availability of the 'size' parameter just considering clients not blacklisted on zen.spamhaus.org. Obviously, there is another approach that is to check if this value is really correct, but for me this makes checking the size of a message, after all possible SMTP restrictions available before receiving the data command somewhat tangible. Do you guys have any thoughts to share about this? Regards, Miguel [1] http://www.apolicy.org |
On Mon, May 12, 2008 at 02:17:23PM -0300, Miguel Filho wrote:
> Hello list, > > I have a small project called ACL Policy Daemon[1]. With my policy > daemon you can create Squid-like ACLs. > > There is an ACL named 'size' and it is evaluated only if the protocol > state is end-of-data. A user questioned me if it would be possible to > reduce this requirement to the MAIL FROM procotol state. Well, first I > said: "Yes we can, but as far as I know most clients do not use the > MAIL FROM: <> SIZE=123 syntax, so most of the time the ACL will be > useless since the information is not available yet." SIZE is widely implemented, and most legitimate mail servers will send a reasonably accurate SIZE at MAIL FROM. You can't trust this SIZE value, but you can expect it to be more often correct than not. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the "Reply-To" header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: <mailto:[hidden email]?body=unsubscribe%20postfix-users> If my response solves your problem, the best way to thank me is to not send an "it worked, thanks" follow-up. If you must respond, please put "It worked, thanks" in the "Subject" so I can delete these quickly. |
On Mon, May 12, 2008 at 2:44 PM, Victor Duchovni
<[hidden email]> wrote: > > SIZE is widely implemented, and most legitimate mail servers will send a > reasonably accurate SIZE at MAIL FROM. You can't trust this SIZE value, > but you can expect it to be more often correct than not. I'm seriously considering the protocol used by a client as an indicator of a spam. I'm trying to be more selective when greylisting, so if a client is using ESMTP and is not listed on a blacklist there is a good chance that the message is legit. I randomly looked at some spam messages of gmail account and all of them were delivered using SMTP e not ESMTP. Miguel |
In reply to this post by Miguel Di Ciurcio Filho-2
>I'm seriously considering the protocol used by a client as an
>indicator of a spam. I'm trying to be more selective when greylisting, >so if a client is using ESMTP and is not listed on a blacklist there >is a good chance that the message is legit. > >I randomly looked at some spam messages of gmail account and all of >them were delivered using SMTP e not ESMTP. Really bad idea. Spammers may move to ESMTP at any time, thus nullifying the benefit, and by labeling SMTP transactions as spam, you effectively blacklist legitimate senders. Is SMTP officially deprecated? |
HAKNER J wrote:
>> I'm seriously considering the protocol used by a client as an >> indicator of a spam. I'm trying to be more selective when greylisting, >> so if a client is using ESMTP and is not listed on a blacklist there >> is a good chance that the message is legit. >> >> I randomly looked at some spam messages of gmail account and all of >> them were delivered using SMTP e not ESMTP. >> > > Really bad idea. Spammers may move to ESMTP at any time, thus nullifying > the benefit, My understanding is that this is a heuristic. > and by labeling SMTP transactions as spam, you effectively > blacklist legitimate senders. > He doesn't want to blacklist. he wants to be more "selective when greylisting". > Is SMTP officially deprecated? > In practice, you shouldn't see a lot of "old smtp" transactions from real MTAs. |
Free forum by Nabble | Edit this page |