[Mimedefang] New spammer trick?

Matt Cramer mscramer at armstrong.com
Tue Nov 25 14:13:32 EST 2003

On Tue, 25 Nov 2003, Joseph Brennan wrote:

> > I have not had any false positives yet. And why would I, even? There is
> > never ever a legitimate reason to pretend to be my server. So, anyone who
> > does, is banished for all eternity.
> Some PC clients say HELO followed by domain name.  I don't know
> where this standards-non-compliant convention originated but it's
> been around for a while.  It's probably to avoid having the PC
> look up its own hostname on dynamic lines.  Hosts that do smtp
> service for PCs need to allow this, unless your only supported
> clients don't do it.

In addition to blocking any server that answers with a HELO argument of
one of our domains, or one of our addresses, we also require that the HELO
argument be either a FQDN or an address (basically we look for a ".").
This has cut down on a huge amount of spam,  Yesterday we got:

Inbound Total:		25801
Ham:			21455
Spam (Flagged):		4346
Dropped (obvious spam	23234
         by pts scored)
554 Rejects:		13444
501 Rejects:		4659

The 501s are the rejects based on [what I consider] syntax errors in the
HELO argument: lacking a FQDN or an IP address.

Occasionally we get some site that tries to send us mail with just their
hostname as the HELO argument, and I've had to hold their hand explaining
to them that if they want to send us mail, they have to play by our rules.
Plus it is a SHOULD in the RFCs, which is good enough for me.  But that
has only happened a few times, and it has been worth it.


Matthew S. Cramer <mscramer at armstrong.com>          Office: 717-396-5032
Infrastructure Security Analyst                     Fax:    717-396-5590
Armstrong World Industries, Inc.                    Cell:   717-917-7099

More information about the MIMEDefang mailing list