[Mimedefang] Suggestions on rejecting relays that provide syntactically-invalid arguments to HELO/EHLO

Jack Olszewski jacek at hermes.net.au
Fri May 23 01:41:01 EDT 2003 

From: "Michael Sims" <michaels at crye-leike.com>
Subject: [Mimedefang] Suggestions on rejecting relays that provide syntactically-invalid arguments to HELO/EHLO
Date: Thu, 22 May 2003 19:56:08 -0500

michaels> David, I read the thread you started in comp.mail.sendmail ('Why make use of
michaels> HELO info?') with great interest. [1]  I have been going through my own
michaels> personal spam corpus collected from the spam reports of my users (over 1000
michaels> messages) looking for patterns.  One of the patterns I noticed was invalid
michaels> HELO arguments of two types: (1) hostnames that are not fully qualified
michaels> (such as "one" or "localhost" or "lagupyr") and (2) bare IP addresses (such
michaels> as "192.168.0.1").
michaels> 
michaels> I decided to see how often these invalid arguments appear in legitimate
michaels> mail, so I temporarily modified my mimedefang-filter to quarantine any
michaels> message with these two types of invalid HELO arguments.
michaels> 
michaels> That was about an hour ago and since then I've quarantined 300-400 messages.
michaels> I've looked through them and with 2-3 rare exceptions they are all complete
michaels> junk.  (I should mention that I'm quarantining these at my public MX server.
michaels> This server has no reason to relay mail for any MUA's.  I have a different
michaels> server setup for that purpose...)
michaels> 
michaels> So now I'm thinking about rejecting these inside filter_relay() and saving
michaels> myself a lot of resources on the front end.  I figured I'd ask the group
michaels> what they thought of this.  I'm also trying to decide what error I want to
michaels> give people.  I should probably give an error such as "Invalid argument
michaels> passed to HELO" or even "HELO requires fully qualified domain name or
michaels> address literal", but I hesitate to tell the spammers how to fix their
michaels> spamware to bypass this.  I'm sorely tempted to just respond with a generic
michaels> "Access denied" which would appear the same as if I had blocked their relay
michaels> inside my sendmail access db.  The only problem with this is if I catch a
michaels> legitimate relay I'm not really providing enough information for them to fix
michaels> the problem.
michaels> 
michaels> Anyone care to share an opinion on this?
michaels> 
michaels> [1] <http://groups.google.com/groups?selm=aaqcncEImdCtR1ujXTWcqg%40magma.ca>

I don't think error responses are ever read by spammers. They go to
relaying mail or proxy servers, perhaps get recorded in some logs that
are not read or analyzed either.

I reject HELOs with the ip or domain of my server with the response
"Go away ... $helo is not your true address."

I also reject HELOs in the form of a bare ip number, without [], with
the response "Rejected, see http://www.hermes.net.au/helo.php for the
reason of rejection.". If a sender of a legitimate message gets the
response, and goes to the given url, he/she is able to inform me about
the problem by using a form on that page, thus bypassing the blockade.
I am still to see the first person using the form.

Not long ago I asked the list about HELOs in the form of an identifier
without any dots. David answered he allowed those. I am curious about
your 2-3 rare exceptions in 300-400 pieces of junk. How do they look
like?

Jack

More information about the MIMEDefang mailing list