2010/02/21

New antispam features in Sendmail 8.14.0 and above

I have not paid attention to some new important antispam features offered by Sendmail in version 8.14.0 or above. They are :

FEATURE(`require_rdns')

This is to reject messages from SMTP clients whose IP address does not have proper reverse DNS.

FEATURE(`block_bad_helo')

This is to reject messages from SMTP clients which provide a HELO/EHLO argument which is either unqualified, or is one of our own names (i.e., the server name instead of the client name).

FEATURE(`badmx')

The function is to reject envelope sender addresses (MAIL) whose domain part resolves to a "bad" MX record.

I recommend all network administrators who manage Sendmail must enable these antispam functions.

2010/02/18

Resolver and recursive validator

I need to remind myself that the term "resolver" can no longer be used when DNSSEC is rolled out on a global scale. All DNS servers that perform look up function for clients shall be called "recursive validator". That is to say, a DNS servers must ensure that all information related to a domain it gets must be properly verified with the keys signed by the domain name owners.

2010/02/17

Bind upgrade failure due to yum

Today, I made an upgrade of Bind DNS package by way of "yum install bind". Afterwards, when I restarted the service using "service named restart", bind stopped running unexpectedly.

The cause of the failure was that yum only upgrade bind to bind-9.5.2-1.fc10.i386. However, bind-chroot, bind-libs and bind-utils stayed on the older version. This is a flaw network administrators never expect to see.

I had to do a "yum -y update bind bind-libs bind-utils bind-chroot". Afterwards, everything was rescued to normal.

I am sure similar incident of upgrade failure will come back to me at a later time.

2010/02/15

my past domain i3way.com on sales

I received the following email from a domain name reseller :

******** Extract ********
Date: Mon, 15 Feb 2010 13:04:39 +0000 (GMT)
From: John Timmers
To: "warren@bya.org.hk"
Subject: i3way.com

i3way.com is coming available for sale in a few days.

Since you own the domain i3way.net, we thought you'd be interested in i3way.com. If you do have interest in acquiring i3way.com, please fill up priority notice form availble here:

http://initrustnetwork.org/store/prioritynotice/a2aeb084-0ec5-4937-ad8e-ba264718442f

and we will contact you as soon as the domain is available for purchase.

We look forward to hearing back from you.

Kind regards,

John Timmers
InTrust Domains
11590 Black Forest Road
Colorado Springs, CO 80908-6000
=========

Actually, the domain i3way.com was owned by me from 2000 to 2006. I decided to give it up and used i3way.net due to large amount of spam sending to users of i3way.com. Coupled with DNSBL of Spamhaus and Spamcop, I have eliminated over 95 % of spam emails.

Wooo..a bit of memory recall.

2010/02/12

NAT in 3G mobile networks

I like to dedicate the picture below to 3G mobile operators that deploy NAT in their networks:



The picture just say one part of the stories - congestion due to limited port numbers in a NATed outgoing IP address. There are other harms such as lack of end-to-end security and quick battery drain of mobile devices.

You think that 16 million private addresses in 10.0.0.0/8 (Class A, RFC1918) are large enough to serve all your subscribers. That's shit. Your subscribers deserve better quality of service.

Shame on you, 3G mobile operators !

2010/02/09

ip6tables to do bandwidth throttling

Now that I have an autoreply email facility on v6 by way of Postfix, I need to make sure this facility is not abused. Unlike Sendmail, parameters for bandwidth throttling are not provided in Postfix. Hopefully, I can make use of ip6tables to limit the number of concurrent connections from an IPv6 address to 5. The following has been tested successfully:

#ip6tables -A INPUT -p tcp --syn --dport 25 -m connlimit --connlimit-above 5 -j REJECT

Once again, I witness the power of iptables and ip6tables.

2010/02/05

IPv6 email autoreply facility

In the past two days, I was busy setting up an autoreply facility for IPv6 email. My experience is that if system administrators set up their IPv6 SMTP servers, it is difficult for them to find IPv6-enabled mail servers for mail transaction tests. Even if they found some, how can they make request to ask some body to help the test. What I try to do is to set up an IPv6 only SMTP server, dedicate an email account with autoreply so that other system administrators can perform IPv6 mail transaction without bothering to call me.

Luckily, I got the domain “v6-mail.com”. Logically, the email account for autoreply function is “autoreply@v6-mail.com”. I continued to configure my DNS to handle MX and AAAA records. Next, I installed Postfix on a dual-stack Linux server with 6to4 tunnelling and I forced Postfix to listen to IPv6 address only. Then came the most difficult task. How to enable autoreply function on the user “autoreply”. I used .forward and vacation but the problem is vacation only reply to sender once within a day and any other subsequent email received from the sender will not be replied. I recalled that flushing vacation.db will clear all previous locked records so I added an cron job to do “/usr/bin/vacation –I” on a per minute basis. This solved all problem plus it added anti-spam feature. If the sender sends more than one request to “autoreply@v6-mail.com” for testing, only one autoreply message will be delivered within a minute.

All these bundled together work up to my expectation. I am very glad that I have developed something helpful to the IPv6 community.

2010/02/01

Risk of Windows 6to4 IPv6 address

Some network administrators are considering launching their IPv6 websites with the use of 6to4 address.

Windows 2003 Server has the function of auto-config 6to4 IPv6 address and the associated gateway. I like to stress that there is a security concern in using Windows default 6to4 IPv6 address. Take an example, for the IP addresss 202.81.1.1, the IPv6 address will become 2002:ca51:101::ca51:101. The 3rd - 6th octets exactly matching 13th - 16th octets tells outsiders that this IPv6 address is assigned to a Windows Server and if it is running web service, IIS is adopted. Hackers can initiate attacks targetted at Windows and IIS vulnerabilities.

Unfortunately, for Windows OS, network administrators have no way to change the auto 6to4 address or to remove it permanently. For the example above, a work-around solution is to manual assign another 6to4 address within the range 2002:ca51:101::/48 to that interface and publish the AAAA record with the manual assigned IPv6 address. This way, things should work without a clue to outsiders what OS are behind.