Open Relay Checker before Opening MTA

Alex Satrapa grail at goldweb.com.au
Sun Feb 10 10:22:40 EST 2002 

On Sunday, February 10, 2002, at 07:41 , Howard Lowndes wrote:

> It founds neat, but I agree about the scaleability issue.

Where do the scalability issues come from?  I'm just "thinking out 
loud" - so I expect to answer my own question, but here's my thinking so 
others can check.

There are only ever two machines involved in the immediate transaction, 
so at worst you will double the load on your mail server.  The other end 
is either going to be getting one more transaction that its normal load 
(the OR test which will fail), or two more transactions than it's 
currently abused open-relay mode load (the OR test which works and the 
OR status notification).

Spam usually comes from mail servers you've never spoken to before.  The 
worst case scenario here is that you're going to be testing every MTA in 
the world.

Hmm.  I would call that a minor scalability issue ;)

Perhaps rather than maintaining a white list and black list, you use the 
MTA OR test as a supplement to an externally maintained black list.  If 
a machine is not black listed on ORBZ or whatever is going these days, 
then do the test.  If the machine passes, add it to a local white list 
which is time-limited.  Don't re-test unless the machine has fallen off 
your local white list.

So the process becomes:
1. Check remote MTA against public black list
      listed: end transaction
      unlisted: continue
2. Check remote MTA against local white list
      listed: continue
      unlisted:
        1. Perform OR test
             doesn't work:
               1. add to local white list
               2. continue transaction
             works:
               1. notify public black list
               2. end transaction
3. Transaction continues...


This way, you're only storing your white list.  The worst case scenario 
here is that you keep a white list of all the MTAs in the world (in the 
unlikely scenario that all the nominated System Administrators in the 
world get a clue and fix their systems) for a short time.

You don't waste space storing your own black list.  Then again, if you 
get repeated transactions from a known-by-spammers but not known-by-ORBZ 
OR MTA, you're going to repeat the OR test.

You also don't waste bandwidth (however small) continually checking 
white-listed MTAs.

So if you are going to do a OR-test and store a local "black list", you 
would end up with Neil's original system as far as remote MTA 
connections are concerned:

1. Check remote MTA against public black list
      listed:
        1. Check remote MTA against local black list
             listed:  remove from local black list (a)
        2. end transaction
      unlisted:
        1. Check remote MTA against local black list
             listed: end transaction (b)
             unlisted: continue transaction
2. Check remote MTA against local white list
      listed: continue
      unlisted:
        1. Perform OR test
             doesn't work:
               1. add to local white list
               2. continue transaction
             works:
               1. notify public black list
               2. notify remote MTA administrator, domain postmaster, etc
               3. add to local black list (c)
               4. end transaction
3. Transaction continues...

The points marked (a), (b) and (c) are where you'd be able to instrument 
the system to collect information like mean-time-between-spams (mean of 
(c.time - b.time)) and mean-time-to-public-blacklist (mean of (c.time - 
a.time)).

I would make the local black and white lists time limited. Rather than 
automatically retesting, I would leave retesting until the remote MTA 
tries to connect again.

Entries on the white list are time limited, and are never "refreshed".  
They have a limited life time, then expire.  Regardless of how many 
times a white-list MTA connects during its white-listed period, it will 
still be retested after a certain time.

Entires on the black list are refreshed every time they are successfully 
used.  They are only removed if no connections have been attempted by 
that MTA for some time, or if the blacklist entry has made it to the 
public black list.  As far as black list TTL goes, I would expect that 
the time would be something more than mean-time-between-spams as 
mentioned earlier, but not much more than mean-time-to-public-blacklist 
as mentioned earlier.

Questions that I can think of now are:
1) how long do you wait to figure out that the OR test has detected an 
open relay?
2) Is OR status confirmed by the remote MTA accepting your illegitimate 
message, or only by the remote MTA actually delivering your illegitimate 
message?
3) How long do you keep entries on the white list?

Alex

More information about the linux mailing list