>Can anyone see a reason to not use firewall techniques to refuse
>a connection to port 25 from specific systems or domains? By refusing
>connection to a known email transit point, email can be denied
>without ever receiving it to examine it. This of course does nothing
>to the good domain with one bad user. I use a piece of software
>called TCPD which refuses connection to any host in a hosts.deny
>file for services.
We use tcp_wrappers and run sendmail (actually smail-3.?) behind the
wrappers. This does allow blocking e-mail from specific hosts or
domains, but probably won't do any good if there are alternate paths
via MX records. If the incoming smtp process sees that it can't
connect it may go up the MX chain until it finds a site that doesn't
block it then that site will forward to our mailer.
It would probably work better to use something like deliver or
procmail to parse the message header or body for identifiable cruft
and reject the messages appropriately. Header checking would be of
limited value because it's too easy to forge headers. Parsing the
bodies of the messages could probably be done, but it would requre a
pretty smart program to figure out what to keep and what to dump.
INTERNET: bill @
COM Bill Campbell; Celestial Systems, Inc.
UUCP: camco!bill PO Box 820; 2835 82nd Avenue S.E. S-100
FAX: (206) 232-9186 Mercer Island, WA 98040-0820; (206) 236-1676
Government spending? I don't know what it's all about. I don't know
any more about this thing than an economist does, and, God knows, he
doesn't know much.
-- Will Rogers