[Mimedefang] filter-relay, rejection on bogus helo
Chris Myers
chris at by-design.net
Wed Jan 7 07:15:14 EST 2004
----- Original Message -----
From: "Lucas Albers" <admin at cs.montana.edu>
To: <mimedefang at lists.roaringpenguin.com>
Sent: Tuesday, January 06, 2004 8:58 PM
Subject: Re: [Mimedefang] filter-relay, rejection on bogus helo
> Jonas Eckerman said:
> > No. David pointed out one reason (NAT). Another reason is that one
machine
> > can have multiple IP-addresses. Applications on such a machine could
well
> > diplay one adress in HELO while actually connecting from another.
>
> You could make the assumption that the helo (if an ip) string should match
> the ip address on the first 3 octets of the address?
> $helo = xxx.xxx.xxx = $ip = xxx.xxx.xxx
Not necessarily. It's quite reasonable that a system with multiple IP
addresses would have addresses in different subnetworks.
In addition to David's example of an SMTP client behind a NAT device that
doesn't rewrite the HELO command, I have two more examples (apologies to the
owners of the random IP addresses I have picked):
1) Host with two Ethernet NICs, one on the "outside" with 64.222.76.14
and one on the "inside" LAN 192.168.1.14. The HELO could be "HELO
[192.168.1.14]".
2) A host connected to multiple ISP's, each of which has assigned a
different block of IP addresses to the user. The SMTP client has an IP
address in each block for poor-man's redundancy. So IP1 is 64.222.76.14 and
IP2 is 207.201.12.19. Needless to say, to keep everyone on their toes the
SMTP client will always pick the IP address it's NOT connecting from for the
HELO command.
Note that it's RARE for a system to use a HELO [ip] that doesn't match
$RelayAddr. In about 2.4 million recent messages, I only found eight that
matched that criteria. Of those eight, only three had a HELO in the same
Class C (/24) and one in the same Class B (/16). Seven of the eight were
spam.
I was once using a rule to check if HELO [ip] matched $RelayAddr and I ended
up blocking important messages to an important user, so I had to take that
rule out. Since the test doesn't really make a difference in the
effectiveness of our spam filter, I'm happy enough to leave it out.
Chris
More information about the MIMEDefang
mailing list