[Mimedefang] filter-relay, rejection on bogus helo
Chris Myers
chris at by-design.net
Tue Jan 6 11:59:53 EST 2004
----- Original Message -----
From: "Lucas Albers" <admin at cs.montana.edu>
To: <mimedefang at lists.roaringpenguin.com>
Sent: Tuesday, January 06, 2004 1:32 AM
Subject: Re: [Mimedefang] filter-relay, rejection on bogus helo
> General question,
> Is it reasonable to expect if $helo and $name are ip addresses, that they
> should match?
> Assuming the machine just has an ip address (no hostname) and it gives a
> helo ip string, they should match in every valid situation?
>
> I just considered a new helo/ip/name match idea...
As David points out, the standards require HELO [a.b.c.d] instead of HELO
a.b.c.d. And _nearly_ all mailers obey that rule. The danger is that
someone you actually want to talk to will fit into the portion of mailers
not covered by "nearly all".
For me, greylisting stops about 90% of messages using "HELO a.b.c.d". Of
the other 10%, only one sender appears to be sending legitimate mail (60 of
181 messages). The other messages tended to get high SpamAssassin scores.
In addition to the option of blocking messages from this class of broken
hosts, you might consider simply adding 1-2 points to the SpamAssassin score
... This would be computationally reasonable unless you're trying to get
that last tiny bit of performance out of your filtering system, because
you'll only be blocking about 0.1% of all messages.
Requiring numeric HELO's to match the $RelayAddr, however, isn't safe.
Hosts behind some "budget" firewalls and multi-homed hosts can legitimately
use something like "HELO [192.168.1.15]" when $RelayAddr is something else
entirely.
A test that is HIGHLY productive, however, is to block messages where the
sender claims "HELO your.ip.address.here". About 10% of all messages to my
server match that test, and I'm willing to risk a few lost messages from
badly broken hosts to block
thousands of spam messages per day.
Also, an additional 1% of spam messages try to use a HELO with a random
hostname in your domain, or the hostname of your mail server. I've
generally found this also to be a safe criteria for blocking messages.
Chris
More information about the MIMEDefang
mailing list