• sap/smtp interaction - wcsmtp build 451.7

    From DAVE GOURD@1:124/5013 to All on Thu Jan 31 19:18:36 2019
    Date: Sat, 29 Apr 2006 10:52:06 -0400
    From: DAVE GOURD
    To: all
    Subject: sap/smtp interaction - wcsmtp build 451.7
    Newsgroups: win.server.smtp.&.avs
    Message-ID: <1146322326.46.0@winserver.com>
    X-Mailer: Wildcat! Interactive Net Server v7.0.454.5
    Lines: 211

    When wcsap rejects a msg, does smtp/WINS close the connection with the
    client, or can/is the cip/cdn/hdn allowed to continue to send data to smtp in the same connection/transaction session? Should that session end at the
    time it is rejected?

    The messsage was rejected for [I think] spoofing our domain (CIP/CDN
    mismatch - spoofed our domain) although the sap log result showed reject
    (0) but not reason 'HELO/EHLO mismatch' as set in the filter file, smtp code was 554.

    I had what essentially is 'logfile spam' in my smtptrace log, wherein a given message/session had been rejected by wcsap, but the sender/caller started sending data anyway (the message w/headers).

    wcsmtp indicated "503 Need MAIL command." then caller evidently started
    sending the data stream anyway.

    wcsmtp sent back echos of the data '500 (data here) : command not
    understood' followed by the caller sending the next line of data/line of the message.

    This continued until the caller 'quit' the session, then WINS closed the connection '211 closing connection, **Completed.

    Is this normal? Never seen the log files get 'spammed' in 10 years running WC, figured I should ask. Am I missing something in the SAP ini or filter files?

    Caller IP is now firewalled, is listed with CBL (http://cbl.abuseat.org/), and reported to abuse at rr.com

    wcsmtp here is latest AUP (451.7).


    **wcsap log snippet (local user munged)**
    20060428 18:28:11 00000446 -------------------------------------
    20060428 18:28:11 00000446 version : 2.06 / 1.62
    20060428 18:28:11 00000446 calltype : SMTP
    20060428 18:28:11 00000446 state : rcpt
    20060428 18:28:11 00000446 cip : 71.75.124.244
    20060428 18:28:11 00000446 cdn : foxriver.net
    20060428 18:28:11 00000446 from : conrad0xsierra@rr.com
    20060428 18:28:11 00000446 hdn : cpe-071-075-124- 244.carolina.res.rr.com
    20060428 18:28:11 00000446 rcpt : john.doe@foxriver.net
    20060428 18:28:11 00000446 ruid : 60
    20060428 18:28:12 00000446 sapfilter : reject (time:687)
    20060428 18:28:12 00000446 result : reject (0)
    20060428 18:28:12 00000446 smtp code : 554
    20060428 18:28:12 00000446 wcsap finish (797 msecs)


    **wcsmtp log snippet**
    20060428 18:28:11 (0A88) HELO: Incoming connection: foxriver.net [71.75.124.244]
    20060428 18:28:11 (0A88) Note: DNS says IP 71.75.124.244 belongs to host: cpe-071-075-124-244.carolina.res.rr.com
    20060428 18:28:11 (0A88) MAIL FROM: <Conrad0XSierra@rr.com>... Sender validation pending. Continue.
    20060428 18:28:12 (0A88) RCPT: Return Path not verifiable: <Conrad0XSierra@rr.com> (Rejected by WCSAP Filter)!


    **wcsmtptrace snippet (local user munged)** **********************************************************
    ****************
    Wildcat! SMTP Server v6.1.451.7
    SMTP log started at Fri, 28 Apr 2006 18:28:11
    Connection Time: 20060428 18:28:11 cid: 00000446
    SSL Enabled: NO
    Client IP: 71.75.124.244 (cpe-071-075-124-244.carolina.res.rr.com)
    18:28:11 S: 220-foxriver.net Wildcat! ESMTP Server v6.1.451.7 ready
    18:28:11 S: 220-************** WARNING: FOR AUTHORIZED USE ONLY! **********************
    18:28:11 S: 220-* THIS SYSTEM DO NOT AUTHORIZE THE USE OF ITS
    PROPRIETARY COMPUTERS *
    18:28:11 S: 220-* AND COMPUTER NETWORKS TO ACCEPT, TRANSMIT, OR
    DISTRIBUTE UNSOLICITED *
    18:28:11 S: 220-* BULK E-MAIL SENT FROM THE INTERNET. THIS SYSTEM
    WILL RESTRICT ACCESS *
    18:28:11 S: 220-* TO CAN-SPAM (US S. 877) COMPLIANT CLIENTS
    ONLY. *
    18:28:11 S: 220
    **********************************************************
    **************
    18:28:11 C: HELO foxriver.net
    18:28:11 S: 250 foxriver.net, Hello cpe-071-075-124-244.carolina.res.rr.com, why do you call yourself foxriver.net?
    18:28:11 C: MAIL FROM: <Conrad0XSierra@rr.com>
    18:28:11 S: 250 <Conrad0XSierra@rr.com>... Sender validation pending.
    Continue.
    18:28:11 C: RCPT TO: <john.doe@foxriver.net>
    18:28:12 ** WCX Process: wcsap ret: 554 (Rejected by WCSAP Filter)
    18:28:12 S: 550 Return Path not verifiable.
    18:28:12 C: DATA
    18:28:12 S: 503 Need MAIL command.
    18:28:12 C: Received: (qmail 18448 invoked by uid 53853);
    18:28:12 S: 500 'Received: (qmail 18448 invoked by uid 53853);': command
    not understood.
    18:28:12 C: Message-Id: <0764736_26563_38280.fodvnbkr@rr.com>
    18:28:12 S: 500 'Message-Id: <0764736_26563_38280.fodvnbkr@rr.com>':
    command not understood.
    18:28:12 C: Date: Fri, 29 Jul 2005 22:23:34 -0100
    18:28:12 S: 500 'Date: Fri, 29 Jul 2005 22:23:34 -0100': command not understood.
    18:28:12 C: Content-Type: text/plain;
    18:28:12 S: 500 'Content-Type: text/plain;': command not understood.
    18:28:12 C: charset="us-ascii"
    18:28:12 S: 500 ' charset="us-ascii"': command not understood.
    18:28:12 C: Content-Transfer-Encoding: 7bit
    18:28:12 S: 500 'Content-Transfer-Encoding: 7bit': command not understood. 18:28:12 C: To: john.doe@foxriver.net
    18:28:12 S: 500 'To: john.doe@foxriver.net': command not understood.
    18:28:12 C: From: "Conrad Sierra" <Conrad0XSierra@rr.com>
    18:28:12 S: 500 'From: "Conrad Sierra" <Conrad0XSierra@rr.com>': command
    not understood.
    18:28:12 C: Subject: Reduce your monthly payments
    18:28:12 S: 500 'Subject: Reduce your monthly payments': command not understood.
    18:28:12 C:
    18:28:12 C: Hello,
    18:28:12 S: 500 'Hello,': command not understood.
    18:28:12 C:
    18:28:12 C: You have been chosen to participate in an invitation only limited time event!
    18:28:12 S: 500 'You have been chosen to participate in an invitation only limited time event!': command not understood.
    18:28:12 C: Are you currently paying over three percent for your mortgage?
    stop right now!
    18:28:12 S: 500 'Are you currently paying over three percent for your
    mortgage? stop right now!': command not understood.
    18:28:12 C: We can help you lower that today!
    18:28:12 S: 500 'We can help you lower that today!': command not
    understood.
    18:28:12 C: Answer only a few questions and we can give you an approval in under thirty seconds.It really is that simple!
    18:28:12 S: 500 'Answer only a few questions and we can give you an
    approval in under thirty seconds.It really is that simple!': command not understood.
    18:28:12 C:
    18:28:12 C: http://oa.r66j-fr.com/
    18:28:12 S: 500 'http://oa.r66j-fr.com/': command not understood.
    18:28:12 C:
    18:28:12 C: And stop fighting for lenders let them fight for you! Make them work for your business by giving you the lowest rates around! You deserve it. 18:28:12 S: 500 'And stop fighting for lenders let them fight for you! Make them work for your business by giving you the lowest rates around! You
    deserve it.': command not understood.
    18:28:12 C:
    18:28:12 C: Think your credit is too bad to get a deal like this? Think Again! We will have you saving your money in no time flat!
    18:28:12 S: 500 'Think your credit is too bad to get a deal like this? Think Again! We will have you saving your money in no time flat!': command not understood.
    18:28:12 C:
    18:28:12 C: Are you ready to save your money?
    18:28:12 S: 500 'Are you ready to save your money?': command not
    understood.
    18:28:12 C:
    18:28:12 C: http://ymv.r66j-fr.com/
    18:28:12 S: 500 'http://ymv.r66j-fr.com/': command not understood.
    18:28:12 C:
    18:28:12 C: Regards,
    18:28:12 S: 500 'Regards,': command not understood.
    18:28:12 C: Conrad Sierra
    18:28:12 S: 500 'Conrad Sierra': command not understood.
    18:28:12 C:
    18:28:12 C:
    18:28:12 C:
    18:28:12 C: The woman had cut off his foot with an axe and his thumb with
    an electric knife, and here she was with a pile of caviar big enough to choke
    a warthog."Misery tried to scream, but could no longer even breathe.
    18:28:12 S: 500 'The woman had cut off his foot with an axe and his thumb
    with an electric knife, and here she was with a pile of caviar big enough to choke a warthog."Misery tried to scream, but could no longer even breathe.': command not understood.
    18:28:12 C: The champagne bottle hadnt been in the scenario, but that was
    minor compared with the womans hideous vitality and his current painful uncertainty.I have spared him, so you may shew him the way he must go.The
    open garbage can overflowed onto the floor and emitted the warm reek of spoiling food, but that wasnt the only thing wrong, or the worst smell..pictoria
    l
    18:28:12 S: 500 'The champagne bottle hadnt been in the scenario, but that
    was minor compared with the womans hideous vitality and his current painful uncertainty.I have spared him, so you may shew him the way he must go.The
    open garbage can overflowed onto the floor and emitted the warm reek of spoiling food, but that wasnt the only thing wrong, or the worst smell..pictorial': command not understood.
    18:28:12 C: He thought her illness might have been short indeed   a
    thunderclap coronary, say, followed by a trip to Saint Joes, followed by."s.It was only after midnight, an hour after Geoffrey had ridden into the gathering storm to try and fetch the doctor, that the midwife had grown alarmed.She approached the mattress, turned around, and squatted..
    18:28:12 S: 500 'He thought her illness might have been short indeed   a thunderclap coronary, say, followed by a trip to Saint Joes, followed by."s.It was only after midnight, an hour after Geoffrey had ridden into the gathering storm to try and fetch the doctor, that the midwife had grown alarmed.She approached the mattress, turned around, and squatted..': command not understood.
    18:28:12 C: There were perhaps seventy acres of open ground between the
    house and the edge of the forest   the snow-cover over it was a perfect
    and blazing white.This was not the soothing sand of sleep but poisoned sand. 18:28:12 S: 500 'There were perhaps seventy acres of open ground between
    the house and the edge of the forest   the snow-cover over it was a
    perfect and blazing white.This was not the soothing sand of sleep but
    poisoned sand.': command not understood.
    18:28:12 C:
    18:28:12 C: .
    18:28:12 S: 500 '.': command not understood.
    18:28:12 C: QUIT
    18:28:12 S: 221 closing connection
    18:28:13 ** Completed
    --- Platinum Xpress/Win/WINServer v3.1
    * Origin: Prison Board BBS Mesquite Tx //telnet.RDFIG.NET www. (1:124/5013)
  • From DAVE GOURD@1:124/5013 to All on Thu Jan 31 19:18:36 2019
    Date: Sat, 29 Apr 2006 11:19:55 -0400
    From: DAVE GOURD
    To: all
    Subject: RE: sap/smtp interaction - wcsmtp build 451.7
    Newsgroups: win.server.smtp.&.avs
    Message-ID: <1146323995.46.1146322326@winserver.com>
    References: <1146322326.46.0@winserver.com>
    X-Mailer: Wildcat! Interactive Net Server v7.0.454.5
    Lines: 257

    Have 'logfile spam' 3 more times now since this original post.

    The latest 3 were the same spam from the same IP/HOST, (not same same in original report) and all 4 incidents have different return path.

    --
    D


    On 4/29/06 10:52 AM, DAVE GOURD wrote to all:

    When wcsap rejects a msg, does smtp/WINS close the connection with the client, or can/is the cip/cdn/hdn allowed to continue to send data to smtp
    in
    the same connection/transaction session? Should that session end at the
    time it is rejected?

    The messsage was rejected for [I think] spoofing our domain (CIP/CDN mismatch - spoofed our domain) although the sap log result showed reject
    (0) but not reason 'HELO/EHLO mismatch' as set in the filter file, smtp code was 554.

    I had what essentially is 'logfile spam' in my smtptrace log, wherein a
    given
    message/session had been rejected by wcsap, but the sender/caller
    started
    sending data anyway (the message w/headers).

    wcsmtp indicated "503 Need MAIL command." then caller evidently started sending the data stream anyway.

    wcsmtp sent back echos of the data '500 (data here) : command not understood' followed by the caller sending the next line of data/line of the message.

    This continued until the caller 'quit' the session, then WINS closed the connection '211 closing connection, **Completed.

    Is this normal? Never seen the log files get 'spammed' in 10 years running
    WC,
    figured I should ask. Am I missing something in the SAP ini or filter files?

    Caller IP is now firewalled, is listed with CBL (http://cbl.abuseat.org/),
    and
    reported to abuse at rr.com

    wcsmtp here is latest AUP (451.7).


    **wcsap log snippet (local user munged)**
    20060428 18:28:11 00000446 -------------------------------------
    20060428 18:28:11 00000446 version : 2.06 / 1.62
    20060428 18:28:11 00000446 calltype : SMTP
    20060428 18:28:11 00000446 state : rcpt
    20060428 18:28:11 00000446 cip : 71.75.124.244
    20060428 18:28:11 00000446 cdn : foxriver.net
    20060428 18:28:11 00000446 from : conrad0xsierra@rr.com
    20060428 18:28:11 00000446 hdn : cpe-071-075-124- 244.carolina.res.rr.com
    20060428 18:28:11 00000446 rcpt : john.doe@foxriver.net
    20060428 18:28:11 00000446 ruid : 60
    20060428 18:28:12 00000446 sapfilter : reject (time:687)
    20060428 18:28:12 00000446 result : reject (0)
    20060428 18:28:12 00000446 smtp code : 554
    20060428 18:28:12 00000446 wcsap finish (797 msecs)


    **wcsmtp log snippet**
    20060428 18:28:11 (0A88) HELO: Incoming connection: foxriver.net [71.75.124.244]
    20060428 18:28:11 (0A88) Note: DNS says IP 71.75.124.244 belongs to
    host:
    cpe-071-075-124-244.carolina.res.rr.com
    20060428 18:28:11 (0A88) MAIL FROM: <Conrad0XSierra@rr.com>...
    Sender
    validation pending. Continue.
    20060428 18:28:12 (0A88) RCPT: Return Path not verifiable: <Conrad0XSierra@rr.com> (Rejected by WCSAP Filter)!


    **wcsmtptrace snippet (local user munged)**

    **********************************************************
    ****************
    Wildcat! SMTP Server v6.1.451.7
    SMTP log started at Fri, 28 Apr 2006 18:28:11
    Connection Time: 20060428 18:28:11 cid: 00000446
    SSL Enabled: NO
    Client IP: 71.75.124.244 (cpe-071-075-124-244.carolina.res.rr.com)
    18:28:11 S: 220-foxriver.net Wildcat! ESMTP Server v6.1.451.7 ready
    18:28:11 S: 220-************** WARNING: FOR AUTHORIZED USE
    ONLY!
    **********************
    18:28:11 S: 220-* THIS SYSTEM DO NOT AUTHORIZE THE USE OF ITS
    PROPRIETARY COMPUTERS *
    18:28:11 S: 220-* AND COMPUTER NETWORKS TO ACCEPT, TRANSMIT, OR
    DISTRIBUTE UNSOLICITED *
    18:28:11 S: 220-* BULK E-MAIL SENT FROM THE INTERNET. THIS SYSTEM
    WILL RESTRICT ACCESS *
    18:28:11 S: 220-* TO CAN-SPAM (US S. 877) COMPLIANT CLIENTS
    ONLY. *
    18:28:11 S: 220

    **********************************************************
    **************
    18:28:11 C: HELO foxriver.net
    18:28:11 S: 250 foxriver.net, Hello cpe-071-075-124-
    244.carolina.res.rr.com,
    why do you call yourself foxriver.net?
    18:28:11 C: MAIL FROM: <Conrad0XSierra@rr.com>
    18:28:11 S: 250 <Conrad0XSierra@rr.com>... Sender validation pending. Continue.
    18:28:11 C: RCPT TO: <john.doe@foxriver.net>
    18:28:12 ** WCX Process: wcsap ret: 554 (Rejected by WCSAP Filter)
    18:28:12 S: 550 Return Path not verifiable.
    18:28:12 C: DATA
    18:28:12 S: 503 Need MAIL command.
    18:28:12 C: Received: (qmail 18448 invoked by uid 53853);
    18:28:12 S: 500 'Received: (qmail 18448 invoked by uid 53853);': command
    not understood.
    18:28:12 C: Message-Id: <0764736_26563_38280.fodvnbkr@rr.com>
    18:28:12 S: 500 'Message-Id: <0764736_26563_38280.fodvnbkr@rr.com>':
    command not understood.
    18:28:12 C: Date: Fri, 29 Jul 2005 22:23:34 -0100
    18:28:12 S: 500 'Date: Fri, 29 Jul 2005 22:23:34 -0100': command not understood.
    18:28:12 C: Content-Type: text/plain;
    18:28:12 S: 500 'Content-Type: text/plain;': command not understood. 18:28:12 C: charset="us-ascii"
    18:28:12 S: 500 ' charset="us-ascii"': command not understood.
    18:28:12 C: Content-Transfer-Encoding: 7bit
    18:28:12 S: 500 'Content-Transfer-Encoding: 7bit': command not
    understood.
    18:28:12 C: To: john.doe@foxriver.net
    18:28:12 S: 500 'To: john.doe@foxriver.net': command not understood. 18:28:12 C: From: "Conrad Sierra" <Conrad0XSierra@rr.com>
    18:28:12 S: 500 'From: "Conrad Sierra" <Conrad0XSierra@rr.com>':
    command
    not understood.
    18:28:12 C: Subject: Reduce your monthly payments
    18:28:12 S: 500 'Subject: Reduce your monthly payments': command not understood.
    18:28:12 C:
    18:28:12 C: Hello,
    18:28:12 S: 500 'Hello,': command not understood.
    18:28:12 C:
    18:28:12 C: You have been chosen to participate in an invitation only
    limited
    time event!
    18:28:12 S: 500 'You have been chosen to participate in an invitation only limited time event!': command not understood.
    18:28:12 C: Are you currently paying over three percent for your
    mortgage?
    stop right now!
    18:28:12 S: 500 'Are you currently paying over three percent for your mortgage? stop right now!': command not understood.
    18:28:12 C: We can help you lower that today!
    18:28:12 S: 500 'We can help you lower that today!': command not
    understood.
    18:28:12 C: Answer only a few questions and we can give you an
    approval in
    under thirty seconds.It really is that simple!
    18:28:12 S: 500 'Answer only a few questions and we can give you an
    approval in under thirty seconds.It really is that simple!': command not understood.
    18:28:12 C:
    18:28:12 C: http://oa.r66j-fr.com/
    18:28:12 S: 500 'http://oa.r66j-fr.com/': command not understood.
    18:28:12 C:
    18:28:12 C: And stop fighting for lenders let them fight for you! Make them work for your business by giving you the lowest rates around! You deserve
    it.
    18:28:12 S: 500 'And stop fighting for lenders let them fight for you! Make them work for your business by giving you the lowest rates around! You deserve it.': command not understood.
    18:28:12 C:
    18:28:12 C: Think your credit is too bad to get a deal like this? Think
    Again!
    We will have you saving your money in no time flat!
    18:28:12 S: 500 'Think your credit is too bad to get a deal like this? Think Again! We will have you saving your money in no time flat!': command not understood.
    18:28:12 C:
    18:28:12 C: Are you ready to save your money?
    18:28:12 S: 500 'Are you ready to save your money?': command not
    understood.
    18:28:12 C:
    18:28:12 C: http://ymv.r66j-fr.com/
    18:28:12 S: 500 'http://ymv.r66j-fr.com/': command not understood.
    18:28:12 C:
    18:28:12 C: Regards,
    18:28:12 S: 500 'Regards,': command not understood.
    18:28:12 C: Conrad Sierra
    18:28:12 S: 500 'Conrad Sierra': command not understood.
    18:28:12 C:
    18:28:12 C:
    18:28:12 C:
    18:28:12 C: The woman had cut off his foot with an axe and his thumb
    with
    an electric knife, and here she was with a pile of caviar big enough to
    choke
    a warthog."Misery tried to scream, but could no longer even breathe. 18:28:12 S: 500 'The woman had cut off his foot with an axe and his
    thumb
    with an electric knife, and here she was with a pile of caviar big enough to choke a warthog."Misery tried to scream, but could no longer even
    breathe.':
    command not understood.
    18:28:12 C: The champagne bottle hadnt been in the scenario, but that
    was
    minor compared with the womans hideous vitality and his current painful uncertainty.I have spared him, so you may shew him the way he must
    go.The
    open garbage can overflowed onto the floor and emitted the warm reek of spoiling food, but that wasnt the only thing wrong, or the worst
    smell..pictoria
    l
    18:28:12 S: 500 'The champagne bottle hadnt been in the scenario, but
    that
    was minor compared with the womans hideous vitality and his current
    painful
    uncertainty.I have spared him, so you may shew him the way he must
    go.The
    open garbage can overflowed onto the floor and emitted the warm reek of spoiling food, but that wasnt the only thing wrong, or the worst smell..pictorial': command not understood.
    18:28:12 C: He thought her illness might have been short indeed   a thunderclap coronary, say, followed by a trip to Saint Joes, followed
    by."s.It
    was only after midnight, an hour after Geoffrey had ridden into the
    gathering
    storm to try and fetch the doctor, that the midwife had grown alarmed.She approached the mattress, turned around, and squatted..
    18:28:12 S: 500 'He thought her illness might have been short indeed   a thunderclap coronary, say, followed by a trip to Saint Joes, followed
    by."s.It
    was only after midnight, an hour after Geoffrey had ridden into the
    gathering
    storm to try and fetch the doctor, that the midwife had grown alarmed.She approached the mattress, turned around, and squatted..': command not understood.
    18:28:12 C: There were perhaps seventy acres of open ground between
    the
    house and the edge of the forest   the snow-cover over it was a perfect
    and blazing white.This was not the soothing sand of sleep but poisoned
    sand.
    18:28:12 S: 500 'There were perhaps seventy acres of open ground
    between
    the house and the edge of the forest   the snow-cover over it was a
    perfect and blazing white.This was not the soothing sand of sleep but poisoned sand.': command not understood.
    18:28:12 C:
    18:28:12 C: .
    18:28:12 S: 500 '.': command not understood.
    18:28:12 C: QUIT
    18:28:12 S: 221 closing connection
    18:28:13 ** Completed


    --- Platinum Xpress/Win/WINServer v3.1
    * Origin: Prison Board BBS Mesquite Tx //telnet.RDFIG.NET www. (1:124/5013)
  • From HECTOR SANTOS@1:124/5013 to All on Thu Jan 31 19:18:36 2019
    Date: Sun, 30 Apr 2006 16:16:36 -0400
    From: HECTOR SANTOS
    To: DAVE GOURD
    Subject: Re: sap/smtp interaction - wcsmtp build 451.7
    Newsgroups: win.server.smtp.&.avs
    Message-ID: <1146428375.46.1146322326@winserver.com>
    References: <1146322326.46.0@winserver.com>
    X-WcMsg-Attr: Rcvd
    X-Mailer: Wildcat! Interactive Net Server v7.0.454.5
    Lines: 53


    <DAVE GOURD> wrote in message news:1146322326.46.0@winserver.com...

    When wcsap rejects a msg, does smtp/WINS close the connection
    with the client, or can/is the cip/cdn/hdn allowed to
    continue to send data to smtp in the same
    connection/transaction session? Should that session end at the
    time it is rejected?

    In general it is bad practice for the server to "DROP" the connection
    because the client may not understand and will try again.

    SMTP has five basic commands:

    EHLO or HELO sender machine name (CDN)
    MAIL FROM: sender address (FROM)
    RCPT TO: receiver address (TO)
    DATA:
    - email is transferred -
    QUIT or RSET
    QUIT

    For each command, a server response is provided:

    250 --> Command ok, continue with next command
    50x --> Don't understand the command
    45x --> Sorry, don't continue, but you can try again later
    55x --> Sorry, don't continue and no need to try again.

    The only way the client can continue from command to command is with a 250 server response each time.

    WCSMTP will not drop the connection once a 45x or 55x is sent. It would bad practice. You are suppose to allow the client to issue the QUIT command and then the socket is closed.

    WCSAP is called at RCPT TO and returns a response to RCPT TO: state to
    validate all the data up to the point. IP connection address, CDN, FROM and
    TO.

    There is 5 minute timer to wait to the client to send the next command. No response, then a DROP is done.

    The client can send a RSET command which allows him to restart the commands again starting with MAIL FROM:.

    What you see many times, especially with bulk spammers is that they ignore
    all server responses and just continue like it was normal. That is why you
    see 50x errors because the client is out of sync. He is continueing with the next command but he hasn't satisfied the previous command.

    Hope this helps
    --- Platinum Xpress/Win/WINServer v3.1
    * Origin: Prison Board BBS Mesquite Tx //telnet.RDFIG.NET www. (1:124/5013)
  • From DAVE GOURD@1:124/5013 to All on Thu Jan 31 19:18:36 2019
    Date: Sun, 30 Apr 2006 22:45:18 -0400
    From: DAVE GOURD
    To: HECTOR SANTOS
    Subject: Re: sap/smtp interaction - wcsmtp build 451.7
    Newsgroups: win.server.smtp.&.avs
    Message-ID: <1146451518.46.1146428375@winserver.com>
    References: <1146428375.46.1146322326@winserver.com>
    X-WcMsg-Attr: Rcvd
    X-Mailer: Wildcat! Interactive Net Server v7.0.454.5
    Lines: 96

    On 4/30/06 4:16 PM, HECTOR SANTOS wrote to DAVE GOURD:


    <DAVE GOURD> wrote in message
    news:1146322326.46.0@winserver.com...

    When wcsap rejects a msg, does smtp/WINS close the connection
    with the client, or can/is the cip/cdn/hdn allowed to
    continue to send data to smtp in the same
    connection/transaction session? Should that session end at the
    time it is rejected?

    In general it is bad practice for the server to "DROP" the connection because the client may not understand and will try again.

    SMTP has five basic commands:

    EHLO or HELO sender machine name (CDN)
    MAIL FROM: sender address (FROM)
    RCPT TO: receiver address (TO)
    DATA:
    - email is transferred -
    QUIT or RSET
    QUIT

    For each command, a server response is provided:

    250 --> Command ok, continue with next command
    50x --> Don't understand the command
    45x --> Sorry, don't continue, but you can try again later
    55x --> Sorry, don't continue and no need to try again.

    The only way the client can continue from command to command is with a
    250
    server response each time.

    WCSMTP will not drop the connection once a 45x or 55x is sent. It would
    bad
    practice. You are suppose to allow the client to issue the QUIT command
    and
    then the socket is closed.

    WCSAP is called at RCPT TO and returns a response to RCPT TO: state to validate all the data up to the point. IP connection address, CDN, FROM
    and
    TO.

    There is 5 minute timer to wait to the client to send the next command. No response, then a DROP is done.

    The client can send a RSET command which allows him to restart the
    commands
    again starting with MAIL FROM:.

    What you see many times, especially with bulk spammers is that they
    ignore
    all server responses and just continue like it was normal. That is why you see 50x errors because the client is out of sync. He is continueing with the next command but he hasn't satisfied the previous command.

    Hope this helps


    Yes sir -

    I understand the 'bad practice' concept. I have never seen this before in all the years running this. Have seen lots and lots of days where there were dozens and dozens of blank entries in some sessions, but never with the spammer being so intent as to go ahead and send the BS anyway after our
    system politely says we don't want any.

    Maybe it happens a lot to others, I have just never seen it before; probably wouldn't if I did not watch the smtptrace logs (or even have it active).

    I did manage to get the uplines to at least disconnect those IPs from access anyhow! The spammer(s) will probably just go somewhere else though.

    Now I just have to figure out what to do about the criminals that are sending spam out spoofing our domain! :( - thousands of false bounces coming in from all over, 2d time they've joe job'd me this year already!

    Any suggestions? SPF record is in place (I think I got it set up right now), but
    that is of little consolation with so many systems out there not in tune to the

    process. Someone told me to get the FBI or feds involved, and get a lawyer cause might be able to sue the rats, but this sounds like more trouble to me than it (actually they, as in crooked spammers AND crooked lawyers - an
    honest guy ain't got a chance it seems) would be worth.

    Thanks Hector, at least I know my WC isn't broke. Have another question but
    in another post...

    --
    D



    --- Platinum Xpress/Win/WINServer v3.1
    * Origin: Prison Board BBS Mesquite Tx //telnet.RDFIG.NET www. (1:124/5013)
  • From HECTOR SANTOS@1:124/5013 to All on Thu Jan 31 19:18:36 2019
    Date: Mon, 01 May 2006 12:55:14 -0400
    From: HECTOR SANTOS
    To: DAVE GOURD
    Subject: Re: sap/smtp interaction - wcsmtp build 451.7
    Newsgroups: win.server.smtp.&.avs
    Message-ID: <1146502514.46.1146451518@winserver.com>
    References: <1146451518.46.1146428375@winserver.com>
    X-WcMsg-Attr: Rcvd
    X-Mailer: Wildcat! Interactive Net Server v7.0.454.5
    Lines: 67

    On 4/30/06 10:45 PM, DAVE GOURD wrote to HECTOR SANTOS:


    I understand the 'bad practice' concept. I have never seen this before in
    all
    the years running this. Have seen lots and lots of days where there were dozens and dozens of blank entries in some sessions, but never with the spammer being so intent as to go ahead and send the BS anyway after our system politely says we don't want any.

    Maybe it happens a lot to others, I have just never seen it before; probably wouldn't if I did not watch the smtptrace logs (or even have it active).

    It happens quite a bit. In fact, they are intent in finding systems that
    are not very strong in stopping it from being accepted.

    Now I just have to figure out what to do about the criminals that are
    sending
    spam out spoofing our domain! :( - thousands of false bounces coming in from all over, 2d time they've joe job'd me this year already!

    Any suggestions? SPF record is in place (I think I got it set up right
    now), but
    that is of little consolation with so many systems out there not in tune
    to the
    process. Someone told me to get the FBI or feds involved, and get a lawyer cause might be able to sue the rats, but this sounds like more trouble to me than it (actually they, as in crooked spammers AND crooked lawyers - an honest guy ain't got a chance it seems) would be worth.

    Thanks Hector, at least I know my WC isn't broke. Have another question but in another post...

    You're not going to stop criminals. All you can do is protect yourself and hopefully others will be reading your SPF and they are protecting you too
    in their domains when they see your spoof coming in.

    SPF is the only standard we have and its only has hit a high 30% of the
    market. So as much and more add SPF, the better for all of us.

    I happen to believe WCSAP with all the combination of things it does, does
    as much as it can at the SMTP level to protect you.

    There are new standards being invented but we are a long way from finishing this and the way it looks, I wouln't hold my breath it will work well
    enough to make a difference.

    From a legal standard, in the US, if you prove harm to your system
    (including proof of increasing the cost of the operations and hardware to protect you) and I think the FBI has a $5,000 minimum before they even
    bother (it use to be $25K), then maybe you have a case. But you got to
    find them. The FBI will not look for them unless it was a national
    security issue. But if you know who they are, then you have laws on your side.

    But you have to protect yourself as much as you possibly can. Today, that
    will be the first thing the FBI or anyone will ask of you. In fact, in
    certain country, it will be begin to be considered malpractice if you
    don't. If your users are harm, well, they might put the blame on you for
    being negligent. We are not there yet in the US, but its a definitely a
    case waiting to happen. It all comes down to "harm" and the cost of the
    harm. No harm - no foul. That is pretty much how law and order behaves.

    HLS



    --- Platinum Xpress/Win/WINServer v3.1
    * Origin: Prison Board BBS Mesquite Tx //telnet.RDFIG.NET www. (1:124/5013)