On Fri, 14 Dec 2007 19:09:09 PST, Nate Eckstine said: > How is postmaster spam avoided? Occasionally we get these spam storms of > 100-200 consecutive bad emails that are advertisements. They are sent to > the postmasters as rejected emails. The firewall crew doesn't want to > block them in case the IP address is spoofed. Umm.. You have an overly paranoid firewall staff - it's *really* hard to spoof the IP address for a TCP connection, as long as the destination system does *any* sort of RFC1948 ISN randomization - and that RFC was written all the way back in the Stone Age of 1996. RFC1948 Defending Against Sequence Number Attacks. S. Bellovin. May 1996. (Format: TXT=13074 bytes) (Status: INFORMATIONAL) Once upon a time, it *was* possible to blind-spoof a TCP connection with only 3 or 4 attempts to figure out the target machine's internal state. These days, even the *broken* systems takes enough packets that your firewall guys would be yelling "Incoming SYN flood!!" - Michael Zalewski's work is the best attack I'm familiar with: http://lcamtuf.coredump.cx/oldtcp/tcpseq.html - the state of the net in 2001 http://lcamtuf.coredump.cx/newtcp/ - a year later. Note that in order to *start* the analysis, he takes some 50,000 ISN values - which implies that the target machine has been probed 50,000 times. And then he's looking at the chance that in 5,000 attempts *after* that, you'll get lucky. And you get to re-gather those 50,000 values for *each* target system. Most likely, they're worried that they'll accidentally block an "important" internal system if somebody spoofs packets with that system as a source. Of course, anybody who does auto-blocking and doesn't whitelist things that would be Really Disastrously Bad if they got blocked *deserves* the results. ;) On the other hand, it would do the Net a world of good if everybody did proper ingress/egress filtering - if it's got a source address in your IP space, it shouldn't be seen inbound on your exterior link, and if the source address isn't in your IP space, it shouldn't be outbound. 2827 Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing. P. Ferguson, D. Senie. May 2000. (Format: TXT=21258 bytes) (Obsoletes RFC2267) (Updated by RFC3704) (Also BCP0038) (Status: BEST CURRENT PRACTICE) 3704 Ingress Filtering for Multihomed Networks. F. Baker, P. Savola. March 2004. (Format: TXT=35942 bytes) (Updates RFC2827) (Also BCP0084) (Status: BEST CURRENT PRACTICE)