[Mimedefang] Bouncing on invalid HELO/EHLO
Edgars Klepers
mimedefanglist at eklynx.com
Thu Jun 12 11:58:00 EDT 2003
I just added your code to my setup and the next message I tried to send
popped up the caught message in the log files. I used OutlookXP to send the
message from my work machine, where the IP and the reverse reslove to (fake
domain used to protect the innocent) psylocke.subdomain.domain1.com. My
home server that allows my work machine to relay at linux.domain2.com
regestered the following line in my spam.log
(xxx'ed out the ip)
helo_not_fqdn,xxx.xxx.xxx.xx,psylocke,<mimedefanglist at eklynx.com>
So it looks like when outlook sends mail through, it doesn't use the FQDN.
Unless theres a setting I have configured wrong that is..
Considering I have my server dropping messages that score 6.0 or higher, I
want to make sure I don't add any extra scores unless I have to.
-----Original Message-----
From: mimedefang-admin at lists.roaringpenguin.com
[mailto:mimedefang-admin at lists.roaringpenguin.com] On Behalf Of Michael Sims
Sent: Thursday, June 12, 2003 8:23 AM
To: mimedefang at lists.roaringpenguin.com
Subject: Re: [Mimedefang] Bouncing on invalid HELO/EHLO
Quoting "G. Roderick Singleton" <gerry at pathtech.org>:
> On Thu, 2003-06-12 at 10:09, Jim McCullars wrote:
> > How many people actually bounce mail based on this rule?
> >
[...]
> My take on attempting to implement these types of tests was that is
> was much work for little gain when one employs the latest sendmail
> with mimedefang and ancillary programs such as spamassassin.
I have to respectfully disagree. I have added, among other things, a check
to make sure that the EHLO/HELO argument is a fully qualified domain name.
If it isn't, I increase the spam score of the message in question by 3
points. This may seem drastic, but I tested this rule for a week and out of
the 2000-3000 message it caught, only about 3 of them were legitimate.
Other sites may have different results, a safer adjustment is probably 1.5 -
2, but 3 works well for me.
In the past 48 hours this rule has flagged 668 messages. This number used
to be much higher before I started using sbl.spamhaus.org and list.dsbl.org
to reject connections at the Sendmail level.
I also flat out reject anyone who provides a raw IP address as a EHLO/HELO
argument rather than an address literal. In the past 48 hours I have
rejected 159 connections on this basis.
As many other people do, I also reject any relay that claims to be in my
domain when it clearly is not. That has caught 424 connections in the past
48 hours.
The code I use to alter the SA score can be found in the following message
(although anyone who uses it will need to alter the score, as 4 is a bit
high):
http://lists.roaringpenguin.com/pipermail/mimedefang/2003-May/005792.html
___________________________________________
Michael Sims
Project Analyst - Information Technology
Crye-Leike Realtors
Office: (901)758-5648 Pager: (901)769-3722
___________________________________________
_______________________________________________
MIMEDefang mailing list
MIMEDefang at lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
More information about the MIMEDefang
mailing list