Flowchart clipped, recapping for NANAE readers new to this thread, the
logic went like this:
Mail connection is requested by some remote host.
Look up remote host IP in local blacklist, if found in blacklist,
terminate connection with 550-Rejected.
Look up remote host IP in local whitelist, if found, accept connection
and deliver mail.
If remote host IP is in neither blacklist nor whitelist, do the
following:
{ Temporarily block connection with 450-Service temporarily
unavailable.
Portscan remote host IP to check for Trojans, open proxies,
vulnerable RPC services that are open, etc.
If remote host appears compromised, add to blacklist
(with a fairly short [3 days or so] expiry time).
If remote host appears reasonably secured, add to whitelist
(with a longer [2 to 3 weeks] expiry time).
}
In my opinion, when they connect to your mail server, to try and send
you mail, that is all the authority you need, to scan their system,
for obvious relay, or proxy ports.
So, you would not object to me scanning port 80 or port 1080 on any
system that connects to my mail server.
What about ports like 12345 (NetBus) and 16959 (SubSeven)? Can I look
at those ports. I can tell you absolutely that any system that has
sent mail to me that had either of those ports open, the email was
unwanted (and often dangerous). Can I set a policy that I don't accept
mail from hosts with those ports open? If that is my policy, I would
have to scan those ports in order to decide whether to accept mail
from any host trying to send mail to me. Am I evil for scanning those
ports to decide whether to accept e-mail from an unknown host?
What about ports like 593 and 135 and 445 on Windows machines? Can I
scan those? Can I probe them for version information or somehow
determine if they are the completely unsecured, unpatched versions or
the slightly more secure patched versions?
In short, if it's reasonable for me to have a policy that I don't
accept mail from compromised systems, and I think that is a reasonable
policy, how do I implement that and what is unacceptable in gathering
information to make the determination that a host is uncompromised?