headers
Curtis Maurand | 4 Feb 06:09
Gravatar

Re: New types of Trojans coming

R A Lichtensteiger wrote:

>Curtis Maurand wrote:
>
>{Edited to fix top posting}
>
><> R A Lichtensteiger wrote:
><>
><> >There are a number of fixes, of course:
><> >
><> > 1a. Separate your outgoing relays from your inbound MX hosts.
><> >     Some of the trojans do a PTR lookup on their address, then
><> >     an MX query on the forward zone.
><> > 1b. Configure your MX hosts to not accept mail from INSIDE your
><> >     network and configure your outbound relays to not accept mail
><> >     from OUTSIDE your network.
>
><> The problem with 1a and 1b is that some networks won't accept mail from 
><> non mx hosts.
>
>Curtis,
>
>Are you referring to SPF or to the silliness that Verizon has
>implemented? Or something else entirely?
>
>SPF isn't constrained to MXes; you can "announce" any host as a valid
>mail relay for your domain.
>
>Verizon's probe back at the MX to see if the username is valid is a
>pimple on the ass of the Internet for sure, but the back query would
>still work in the above case.
>
>If something else, can you cite? I'm ignorant about who might have
>implemented what ...
>
>Reto  (Errm ... perhaps off list as we're straying ...)
>  
>
I get the following from both bellsouth and verizon.

Feb  3 18:33:42 [postfix/smtp] 1F09C203B9A: to=<ALN <at> SKYPOINT.COM>, 
relay=minuet.
skypoint.net[199.86.32.2], delay=52414, status=deferred (host 
minuet.skypoint.ne
t[199.86.32.2] said: 451 4.1.8 Domain of sender address 
apache <at> orion.xyonet.com
does not resolve (in reply to RCPT TO command))
Feb  3 18:33:42 [postfix/smtp] C4961203EA8: to=<GARDENELF <at> VERIZON.NET>, 
relay=re
lay.VERIZON.NET[206.46.170.12], delay=167144, status=deferred (host 
relay.VERIZO
N.NET[206.46.170.12] said: 450 Unable to find orion.xyonet.com (in reply 
to RCPT
 TO command))

both of those messages are the results from an ecommerce system.  both 
are sending from a machine that posts via "/usr/sbin/sendmail -t" 
instead of making a connection.  the relevant section on the source 
address of the email:

;; QUESTION SECTION:
;141.141.49.69.in-addr.arpa.    IN      PTR

;; ANSWER SECTION:
141.141.49.69.in-addr.arpa. 10800 IN    PTR     orion.xyonet.com.

So you see, mail confirmation of the users orders get rejected.  I'm 
really not keen on making that host forward mail to the real mail host.

Curtis
Permalink | Reply |

Gmane