[Mimedefang] Suggestions on rejecting relays that provide syntactically-invalid arguments to HELO/EHLO
Michael Sims
michaels at crye-leike.com
Thu May 22 20:57:01 EDT 2003
David, I read the thread you started in comp.mail.sendmail ('Why make use of
HELO info?') with great interest. [1] I have been going through my own
personal spam corpus collected from the spam reports of my users (over 1000
messages) looking for patterns. One of the patterns I noticed was invalid
HELO arguments of two types: (1) hostnames that are not fully qualified
(such as "one" or "localhost" or "lagupyr") and (2) bare IP addresses (such
as "192.168.0.1").
I decided to see how often these invalid arguments appear in legitimate
mail, so I temporarily modified my mimedefang-filter to quarantine any
message with these two types of invalid HELO arguments.
That was about an hour ago and since then I've quarantined 300-400 messages.
I've looked through them and with 2-3 rare exceptions they are all complete
junk. (I should mention that I'm quarantining these at my public MX server.
This server has no reason to relay mail for any MUA's. I have a different
server setup for that purpose...)
So now I'm thinking about rejecting these inside filter_relay() and saving
myself a lot of resources on the front end. I figured I'd ask the group
what they thought of this. I'm also trying to decide what error I want to
give people. I should probably give an error such as "Invalid argument
passed to HELO" or even "HELO requires fully qualified domain name or
address literal", but I hesitate to tell the spammers how to fix their
spamware to bypass this. I'm sorely tempted to just respond with a generic
"Access denied" which would appear the same as if I had blocked their relay
inside my sendmail access db. The only problem with this is if I catch a
legitimate relay I'm not really providing enough information for them to fix
the problem.
Anyone care to share an opinion on this?
[1] <http://groups.google.com/groups?selm=aaqcncEImdCtR1ujXTWcqg%40magma.ca>
___________________________________________
Michael Sims
Project Analyst - Information Technology
Crye-Leike Realtors
Office: (901)758-5648 Pager: (901)769-3722
___________________________________________
More information about the MIMEDefang
mailing list