Hello Michael,

>I have recently implemented SET REJECT-BY-DEFAULT TRUE for SMTP with
>accept-net set to our local subnet and a couple of off-site locations.
>
>I have an MX record set up in DNS to point to an anti-spam/anti-virus
>appliance and I want all incoming mail to pass through the appliance
>before hitting the VMS box. The MX record has been set for months.
>
>I've been looking at the smtp connection log and I'm beginning to wonder
>if I've made a mistake. I'm getting a lot of rejections, some of which
>don't look like your typical evil site.


One thing I learned early on about spam and virus-infected PCs is that they
will target anything. Some of them will use MX records and some of them will
follow all MX records until they hit a machine which won't reject the
message. Pretty well of them will target A records and any IP address that
is known to have an SMTP server running.

The upside of this is that if you're getting mail from outside your
environment which has come directly to your host rather than through your MX
relay, you can pretty safely assume it's spam/virus mail.

>So, the question is this: Is there some SMTP netiquette/RFC that I've
>violated by rejecting sites that don't honor the MX record and am I
>therefore losing legitimate email?


I don't believe so.

>Below is the output from a perl script I wrote to do a simple analysis
>of the log file--which sites have been rejected the most. In descending
>order are the ip address, domain name if available and number of
>connection attempts for the top 40 rejected sites. These are the real IP
>addresses, not what the sender is claiming.


The source IP addresses are only half the story. You really need to see the
message content, which means relaxing your REJECT-BY-DEFAULT for a while.
Enabling debug in the SMTP symbiont will show you the envelope headers but
that might not be enough. If you really want to satisfy yourself that these
messages are garbage, you could run:

$ mu tcpdump/write=smtp.log/snap=1600 port 25 and not src net

(You might have to play with the 'and not src ...' bit to get the filtering
just right.) This will create a binary-format SMTP.LOG file containing your
incoming SMTP traffic, which you can then read using MU TCPDUMP/READ=SMTP.LOG.
Let it run for "a while" (depends on disk space and traffic volume I guess)
then see if you're getting any valid mail. I doubt you will be.

>$ pipe type multinet:smtp_server.log | perl [.mf]reject.pl


>Top 40 Rejected SMTP Sites


> 1) 169.237.104.168: (nairobi.ucdavis.edu) 109
> 2) 66.98.154.95: () 58
> 3) 64.78.185.148: (mail6.shopathome.com) 55
> 4) 205.215.194.230: (mail.twgi.com) 52
> 5) 198.59.61.25: (isaco2.educause.edu) 43
> 6) 216.92.1.121: () 40
> 7) 198.188.134.45: () 40
> 8) 205.246.0.2: () 34
> 9) 66.27.232.126: (cpe-66-27-232-126.bak.res.rr.com) 29
> 10) 63.205.233.68: (adsl-63-205-233-68.dsl.snfc21.pacbell.net) 27
> 11) 204.157.0.43: () 25
> 12) 130.71.128.8: (nic.stolaf.edu) 23
> 13) 200.163.79.49: (200-163-079-049.gnace7003.e.brasiltelecom.net.br) 21
> 14) 81.211.64.22: () 20
> 15) 210.214.226.208: (dialpool-210-214-226-208.maa.sify.net) 20
> 16) 69.8.183.26: () 18
> 17) 69.8.183.2: () 18
> 18) 69.8.183.12: () 18
> 19) 66.35.244.86: () 18
> 20) 67.130.143.204: (relay4.pc-mall.com) 17
> 21) 128.205.7.58: (defer.acsu.buffalo.edu) 17
> 22) 211.192.187.126: () 17
> 23) 206.81.116.11: (pim-116-11.flowgomail.com) 16
> 24) 203.109.249.142: (grunt22.ihug.com.au) 15
> 25) 66.18.69.6: () 15
> 26) 134.126.12.43: (mpdir4.jmu.edu) 15
> 27) 66.94.237.28: (n14a.bulk.scd.yahoo.com) 15
> 28) 212.247.154.1: (mailfe01.swip.net) 14
> 29) 69.8.183.6: () 13
> 30) 66.130.156.81: (modemcable081.156-130-66.mc.videotron.ca) 13
> 31) 66.94.237.58: (n29.bulk.scd.yahoo.com) 13
> 32) 59.95.1.147: () 12
> 33) 66.135.197.23: (mxpool17.ebay.com) 12
> 34) 209.73.178.105: (web60217.mail.yahoo.com) 12
> 35) 66.218.66.174: (n8.bulk.scd.yahoo.com) 11
> 36) 207.5.128.145: (hephaestus.gwi.net) 11
> 37) 192.17.3.5: () 11
> 38) 207.109.251.2: (email-out.userservices.net) 11
> 39) 204.112.7.5: () 11
> 40) 211.232.47.58: () 11
> Total number of unique Rejected SMTP Sites: 1495


>Number of SMTP attempts overall: 12349 Rejects: 3389 (27.4%)


>Thanks,


>Michael Fleming
>CSU, Bakersfield



Regards,

Jeremy Begg

+---------------------------------------------------------+
| VSM Software Services Pty. Ltd. |
| http://www.vsm.com.au/ |
| "OpenVMS Systems Management & Programming" |
|---------------------------------------------------------|
| P.O.Box 402, Walkerville, | E-Mail: jeremy@vsm.com.au |
| South Australia 5081 | Phone: +61 8 8221 5188 |
|---------------------------| Mobile: 0414 422 947 |
| A.C.N. 068 409 156 | FAX: +61 8 8221 7199 |
+---------------------------------------------------------+