Re: [SLUG] Does this open relay test look reasonable?

From: R P Herrold (herrold@owlriver.com)
Date: Fri Nov 22 2002 - 11:02:59 EST


On Fri, 22 Nov 2002, Greg Schmidt wrote:

> RoadRunner hits my server with this open relay test. It looks extensive,
> but I'm not sure what all of these tests are checking. Other places have
> much shorter tests.

A couple observations:

1. Just because a host _says_ it is someone in the HELO does
not mean that it is -- what IP were the probes coming from,
and do they match in reverse DNS 'security.rr.com'

2. The tests are variant forms of legal addressing under some
(relatively) obscure MTA setups, either legal under RFC 2821,
or an observed form, predating that RFC.

3. What does 'reasonable' have to do with it? Few tests are
not the sign of an effective test; comprehensive tests
addressing the vulnerabilities being exploited are. The
source code for the DSBL testing engine is GPL'd and available
at: http://www.dsbl.org/ -- a new test for a new variant open
proxy was added just a couple days ago. It makes interesting
reading.

-- Russ Herrold



This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 20:06:12 EDT