Subj : RE: WCSAP-CBV False negative To : All From : DEAN BANKS Date : Thu Jan 31 2019 19:18:36 Date: Wed, 25 Jul 2007 05:19:50 -0400 From: DEAN BANKS To: HECTOR SANTOS Subject: RE: WCSAP-CBV False negative Newsgroups: win.server.smtp.&.avs Message-ID: <1185355977.46.1185322583@winserver.com> References: <1185322583.46.1185116463@winserver.com> X-WcMsg-Attr: Rcvd X-Mailer: Wildcat! Interactive Net Server v7.0.454.5 Lines: 124 Hi Thanks for looking at this, I think you may have missed my point however. I'm talking about a false NEGATIVE, not positive, the goal of testing for an open relay is missed, in this instance, the rejection is for a different reason. The log file shows that the false email address is never being evaluated as local/relay, it's being rejected solely based on the server only accepting 1 RCPT TO: / connection (configuration of the mail server). Consider this SMTP dialog from an open relay that accepts 1 RCPT TO: / connection: S: 220 Smtp service ready C: NOOP WCSAP v2.09 Wildcat! Sender Authentication Protocol http://www.santronics.com S: 250 OK C: HELO tka.com S: 250 mta169.mail.re2.yahoo.com C: MAIL FROM:<> S: 250 null sender <> ok C: RCPT TO: -valid email- S: 250 recipient ok C: RSET S: 250 OK C: MAIL FROM:<> S: 250 null sender <> ok C: RCPT TO: -false email- S: 250 recipient ok C: QUIT Now we have uncovered an open relay that currently would be missed. Thanks again for looking at this. On 2007-07-24 8:16 PM, HECTOR SANTOS wrote to DEAN BANKS: -> On 2007-07-22 11:01 AM, DEAN BANKS wrote to ALL: -> -> > Hi -> > -> > I recently started using wcSAP, and have noticed what I'd consider a -> > false negative (allowing potential spam). In the log file clip below, the -> > "wcsap-openrelay-test-123sxa23@alqwejad.com" address is rejected because -> > the server only allows 1 RCPT per connection, not because it's trying to -> relay. -> -> Hi Dean, -> -> Its not a false positive because it isn't a reason for rejection. The goal -> was to check for an open relay, nothing more. If it rejected it, then the -> expected discovery was complete. -> -> Now, if it did accept the FAKE ADDRESS, then it would be viewed as an open -> relay. But it didn't accept it which for any reason it may have, it is the -> main end goal to be ascertain. -> -> Remember, the CBV returns a "postive test" - the target address did not -> fail. So its not a false positive. -> -> If you are saying the ADDRESS was "really bad", CBV still did its job -> because there is NO WAY to determine this. The GOAL was to see if the SMTP -> server A) directly rejected the address or B) it is an open relay as one -> reason for accepting it. -> -> > Perhaps after the 1st RCPT is sent and accepted a RSET command could be -> > issued before the 2nd one is tested. -> -> That means you are literally trying to start a NEW transaction which is not -> want we want here and it won't give you any different result - think about it: -> -> - WCSAP CBV WAY: -> -> TEST REAL ADDRESS: -> -> MAIL FROM: -> 250 OK -> -> TEST FOR OPEN REPLY -> -> MAIL FROM: -> 550 SORRY BAD ADDRESS OR EXTERNAL DOMAIN -> -> THIS IS A GOOD SMTP SYSTEM (behaving right). -> -> - Lets try it your way: -> -> TEST REAL ADDRESS: -> -> MAIL FROM: -> 250 OK -> -> TEST FOR OPEN REPLY USING A RESET -> -> RESET -> 250 OK -> MAIL FROM: -> 550 SORRY BAD ADDRESS OR EXTERNAL DOMAIN -> -> If you are saying it should accept this because it is now a 1 RCPT new -> transaction, then it still would be an OPEN RELAY because it should not be -> accepting this fake address. -> -> This WCSAP CBV logic is very good logic based on the best current practice -> (BCP) and expectations of systems. Whether or not it only accepts 1 RCPT -> which would be not the BCP, the goal was to see if it accepts JUNK as it -> could be the reason it also accepted the target address. -> -> Think about it more. WCSAP is now 4 years old of solid, time tested -> engineeirng SMTP CBV logic. It is designed to eliminate the obvious by -> analyzing expected "failure or bad" conditions - the open relay is -> considered a bad condition in today's environment. It doesn't say the -> return address is GOOD, it just says that it pass the failure test. -> -> Hope this helps -> -> -- -> HLS -> --- Platinum Xpress/Win/WINServer v3.1 * Origin: Prison Board BBS Mesquite Tx //telnet.RDFIG.NET www. (1:124/5013) .