Subj : RE: WCSAP-CBV False negative To : All From : HECTOR SANTOS Date : Thu Jan 31 2019 19:18:36 Date: Tue, 24 Jul 2007 20:16:23 -0400 From: HECTOR SANTOS To: DEAN BANKS Subject: RE: WCSAP-CBV False negative Newsgroups: win.server.smtp.&.avs Message-ID: <1185322583.46.1185116463@winserver.com> References: <1185116463.46.0@winserver.com> X-WcMsg-Attr: Rcvd X-Mailer: Wildcat! Interactive Net Server v7.0.454.5 Lines: 82 On 2007-07-22 11:01 AM, DEAN BANKS wrote to ALL: > Hi > > I recently started using wcSAP, and have noticed what I'd consider a > false negative (allowing potential spam). In the log file clip below, the > "wcsap-openrelay-test-123sxa23@alqwejad.com" address is rejected because > the server only allows 1 RCPT per connection, not because it's trying to relay. Hi Dean, Its not a false positive because it isn't a reason for rejection. The goal was to check for an open relay, nothing more. If it rejected it, then the expected discovery was complete. Now, if it did accept the FAKE ADDRESS, then it would be viewed as an open relay. But it didn't accept it which for any reason it may have, it is the main end goal to be ascertain. Remember, the CBV returns a "postive test" - the target address did not fail. So its not a false positive. If you are saying the ADDRESS was "really bad", CBV still did its job because there is NO WAY to determine this. The GOAL was to see if the SMTP server A) directly rejected the address or B) it is an open relay as one reason for accepting it. > Perhaps after the 1st RCPT is sent and accepted a RSET command could be > issued before the 2nd one is tested. That means you are literally trying to start a NEW transaction which is not want we want here and it won't give you any different result - think about it: - WCSAP CBV WAY: TEST REAL ADDRESS: MAIL FROM: 250 OK TEST FOR OPEN REPLY MAIL FROM: 550 SORRY BAD ADDRESS OR EXTERNAL DOMAIN THIS IS A GOOD SMTP SYSTEM (behaving right). - Lets try it your way: TEST REAL ADDRESS: MAIL FROM: 250 OK TEST FOR OPEN REPLY USING A RESET RESET 250 OK MAIL FROM: 550 SORRY BAD ADDRESS OR EXTERNAL DOMAIN If you are saying it should accept this because it is now a 1 RCPT new transaction, then it still would be an OPEN RELAY because it should not be accepting this fake address. This WCSAP CBV logic is very good logic based on the best current practice (BCP) and expectations of systems. Whether or not it only accepts 1 RCPT which would be not the BCP, the goal was to see if it accepts JUNK as it could be the reason it also accepted the target address. Think about it more. WCSAP is now 4 years old of solid, time tested engineeirng SMTP CBV logic. It is designed to eliminate the obvious by analyzing expected "failure or bad" conditions - the open relay is considered a bad condition in today's environment. It doesn't say the return address is GOOD, it just says that it pass the failure test. Hope this helps -- HLS --- Platinum Xpress/Win/WINServer v3.1 * Origin: Prison Board BBS Mesquite Tx //telnet.RDFIG.NET www. (1:124/5013) .