[Mimedefang] Suggestions on rejecting relays that provide syntactically-invalid arguments to HELO/EHLO

Joseph Brennan brennan at columbia.edu
Fri May 23 09:46:02 EDT 2003 

--On Thursday, May 22, 2003 19:56 -0500 Michael Sims 
<michaels at crye-leike.com> wrote:

> David, I read the thread you started in comp.mail.sendmail ('Why make use
> of HELO info?') with great interest. [1]  I have been going through my own
> personal spam corpus collected from the spam reports of my users (over
> 1000 messages) looking for patterns.  One of the patterns I noticed was
> invalid HELO arguments of two types: (1) hostnames that are not fully
> qualified (such as "one" or "localhost" or "lagupyr") and (2) bare IP
> addresses (such as "192.168.0.1").


RFC 2821 says

4.1.1.1  Extended HELLO (EHLO) or HELLO (HELO)

   These commands are used to identify the SMTP client to the SMTP
   server.  The argument field contains the fully-qualified domain name
   of the SMTP client if one is available.  In situations in which the
   SMTP client system does not have a meaningful domain name (e.g., when
   its address is dynamically allocated and no reverse mapping record is
   available), the client SHOULD send an address literal (see section
   4.1.3), optionally followed by information that will help to identify
   the client system.  y The SMTP server identifies itself to the SMTP
   client in the connection greeting reply and in the response to this
   command.

so you would be wrong to say "HELO requires fully qualified domain
name or address literal" unless rephrased to say that your system
requires it.  In the standard it's a SHOULD not a MUST.

I wrote recently that I had tested this and within an hour I had
logged several non-spam mailings that HELO IP addresses without
[] brackets.  However it does correlate highly to spam and could
be worth some Spamassassin points.  Likewise HELO with the
pattern [A-Z][a-z]+ (no dots or other chars) correlates highly
to Klez virus but can appear in some other mail.


We use a HELO test.  We reject mail that says HELO with our
mail server's own IP address.  That just makes no sense at all.
Nothing does this but some spamware product.  We give it an
action_bounce("You are not $Helo") which probably goes over
the heads of the spammers (as if they even look at bounces) but
would give a clue to the clueful.  It gets 12,000 a day here.


Joseph Brennan          Columbia University in the City of New York
postmaster at columbia.edu                 Academic Technologies Group

More information about the MIMEDefang mailing list