[Mimedefang] Suggestions on rejecting relays that provide syntactically-invalid arguments to HELO/EHLO

Michael Sims michaels at crye-leike.com
Thu May 22 20:57:01 EDT 2003 

David, I read the thread you started in comp.mail.sendmail ('Why make use of
HELO info?') with great interest. [1]  I have been going through my own
personal spam corpus collected from the spam reports of my users (over 1000
messages) looking for patterns.  One of the patterns I noticed was invalid
HELO arguments of two types: (1) hostnames that are not fully qualified
(such as "one" or "localhost" or "lagupyr") and (2) bare IP addresses (such
as "192.168.0.1").

I decided to see how often these invalid arguments appear in legitimate
mail, so I temporarily modified my mimedefang-filter to quarantine any
message with these two types of invalid HELO arguments.

That was about an hour ago and since then I've quarantined 300-400 messages.
I've looked through them and with 2-3 rare exceptions they are all complete
junk.  (I should mention that I'm quarantining these at my public MX server.
This server has no reason to relay mail for any MUA's.  I have a different
server setup for that purpose...)

So now I'm thinking about rejecting these inside filter_relay() and saving
myself a lot of resources on the front end.  I figured I'd ask the group
what they thought of this.  I'm also trying to decide what error I want to
give people.  I should probably give an error such as "Invalid argument
passed to HELO" or even "HELO requires fully qualified domain name or
address literal", but I hesitate to tell the spammers how to fix their
spamware to bypass this.  I'm sorely tempted to just respond with a generic
"Access denied" which would appear the same as if I had blocked their relay
inside my sendmail access db.  The only problem with this is if I catch a
legitimate relay I'm not really providing enough information for them to fix
the problem.

Anyone care to share an opinion on this?

[1] <http://groups.google.com/groups?selm=aaqcncEImdCtR1ujXTWcqg%40magma.ca>

___________________________________________
Michael Sims
Project Analyst - Information Technology
Crye-Leike Realtors
Office: (901)758-5648  Pager: (901)769-3722
___________________________________________

More information about the MIMEDefang mailing list