Jump to content
Sign in to follow this  
lawless

MailHosts: How does it stop forged Received:

Recommended Posts

I've just successfully configured one of my accounts for Mailhosts.

What I see seems like something I've asked for and apparently many

others have as well: A way to white-list the inbound mail relays.

What I don't understand is how Mailhosts will help SC detect

forged Received: headers from implicating innocent relays.

Here's the passage from the first configuration page:

Why? This is being done because of ongoing problems - spammers have finally begun doing what we have known they could do all along - create really convincing mail header forgeries. These forgeries make SpamCop think spam is being sent from innocent sites where it is actually not. Clearly, this must be stopped. Currently, only a few spam forgeries cause serious problems for SpamCop, but if this problem is not solved, it will become much worse. Even now, a few mis-identified innocent sites are a big problem. This system promises to eliminate the forgery problem forever, while also avoiding problems caused by other less-drastic attempts to mitigate the forgeries. However, it does require more involvement from SpamCop users.

So how will the new approach prevent the first Received: header

past the trusted chain from being a convincing forgery that

implicates an innocent IP address?

Share this post


Link to post
Share on other sites

...Attn: Moderators -- please consider merging this into Mailhost system beta testing, since that is where Julian has asked that we

<snip> followup here with your thoughts and/or problems.
. Edited by turetzsr

Share this post


Link to post
Share on other sites

In general, mailhosts stuff needs to be posted over in the other forum. I'll answer this here, though.

The idea is that SpamCop will learn (actually, be taught) the chain of legitimate servers through which your email travels. And, it will assume that anything outside that chain is the source, or at least culpable.

So, let's say you have an earthlink address that forwards to SpamCop. Previously, a spammer could forge something like this:

spamcop receives from earthlink

earthlink receives from comcast cable modem

comcast cable modem receives from random IP address (this line is forged)

If they did the forgery right and the comcast cable modem wasn't already on another blacklist and a few other things, then SpamCop would accept the whole thing and blame the innocent, forged IP. This was really happening in some cases. It's not just theoretical and reports were (are) being sent to the wrong place.

Now, SpamCop knows that you receive mail through earthlink. So, whatever mail host sends the mail to earthlink is considered the source. The forgery above doesn't work.

This has several benefits that I see:

  • It eliminates forgeries like above
  • We will tend more to report relays (open relays, open proxies) more than the source now. This is beneficial because the relays are probably harder to find than new source IP's. Also, for people who use the SpamCop BL on their mail server, the relay is the machine connecting, not the source IP.
  • This is close to the "IP whitelist" that people have wanted for reporting. As part of this whole system, there should be way fewer cases of reporting your own mail host. DNS doesn't matter as much and we will already know that your mail host is innocent.

I know it's a hassle to set up. But, it's just done once and hopefully improves accuracy across the board. I will say that Julian's committed to this new system or one that looks just like it. It may just be beta-quality now, but it's definitely here to stay.

JT

Share this post


Link to post
Share on other sites

Thanks for the reply JT. I've got it now. Also my mailhosts

config is all setup and working fine now.

Sorry I posted in the wrong place--I zipped past the "pinned"

topics since they're usually old news. I'm finding the new

web-forum a bit difficult. Liked NNTP much better. Could a the

topics display be made much denser? There's much-too-much

whitespace here.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×