[Mimedefang] Bouncing on invalid HELO/EHLO

Michael Sims michaels at crye-leike.com
Thu Jun 12 13:18:02 EDT 2003 

Quoting Edgars Klepers <mimedefanglist at eklynx.com>:

> I just added your code to my setup and the next message I tried to send
> popped up the caught message in the log files. 
[...]
> So it looks like when outlook sends mail through, it doesn't use the FQDN.
> Unless theres a setting I have configured wrong that is..  

I'm very sorry, I left out a fairly critical requirement for my non-FQDN filter.
 It will only work if you do not scan "internal" mail.  By internal mail I'm
referring to any trusted client that is allowed to relay mail via the server
that MD is installed on.  As you've seen, any Windows machine using Outlook (and
I assume most any other MUA) is always going to report its NetBIOS hostname as
the EHLO/HELO argument.

I think it's a good idea in general to skip the SpamAssassin check for mail from
trusted networks.  I've implemented this in my filter using a sub called
relayIsTrusted():

if (relayIsTrusted($RelayAddr)) {

  //do spam assassin stuff

}

Inside relayIsTrusted I define a group of network/subnet mask pairs that are
considered "trusted" and therefore exempt from any filtering (other than virus
checks).  I can provide full code offlist if anyone is interested.

This is fairly easy on my side because I have a external smart host which all
outgoing mail is relayed through.  Therefore my list of "trusted" relays only
consists of a couple of IP addresses.  If you're scanning on the same mail
server that your end users use to submit mail then this will probably be a
little more complicated, but it shouldn't be much more.

It has been my experience that 99% of legitimate mail relays report their fully
qualified domain name.  The ones that do not are either direct-to-MX spammers
(in which case their ratware reports their machine's NetBIOS name), or they are
windows mail servers which are maintained by ignorant admins.  Because of the
second case I only add 3 points to the score.

Hope this makes things clearer...

___________________________________________
Michael Sims
Project Analyst - Information Technology
Crye-Leike Realtors
Office: (901)758-5648  Pager: (901)769-3722
___________________________________________

More information about the MIMEDefang mailing list