[Mimedefang] Re: Requiring FQDN in HELO

Paul Russell prussell at nd.edu
Thu Dec 29 23:57:30 EST 2005 

On Wed, 28 Dec 2005, James Ebright <jebright at esisnet.com> wrote:
> 
> In addition, I believe rejecting email due to an invalid HELO/EHLO is a 
> rfc violation in of itself (MUST NOT even). That said, the only ones I 
> reject are the ratware ones that say they are me (my ip blocks or 
> localhost or my own FQDN).  ;-)
>

RFC 2821 states that a sender *MUST* start an SMTP transaction with a
HELO/EHLO command, and that the syntax of the command is:

        ehlo            = "EHLO" SP Domain CRLF
        helo            = "HELO" SP Domain CRLF

It also states that the domain *MUST* be either a FQDN or a bracketed IP
address, and explicitly forbids the use of any other format.

Before we put an "email security appliance" in front of our inbound MTA's,
we were rejecting messages from systems which used anything other than a
FQDN or bracketed IP address as the HELO/EHLO parameter. We had to exempt
our own net block from this restriction, due to the number of broken MS
systems which HELO'd with their Netbios name. We experienced a noticeable
reduction in the volume of spam and virus traffic accepted at the SMTP level
when we implemented this policy. We returned an error message with a URL
pointing to a page that explained the reason for the rejection. When remote
sites complained about the rejections, we referred them to the web page,
explained that most of the systems exhibiting this behavior were either owned
or controlled by spammers, and suggested that they fix their broken systems.
To the best of my knowledge, no one complained twice.

The prohibition on rejection seems to apply to situations in which the
HELO/EHLO parameter does not match the DNS name. Technically, the use of a
syntactically invalid domain name on the HELO/EHLO parameter is a subset of
the cases in which the HELO/EHLO parameter does not match the DNS name, but
we were not comparing the HELO/EHLO parameter to the DNS name and rejecting
due to the mismatch; we were rejecting because the HELO/EHLO parameter was
syntactically invalid.

This issue was discussed at length on the SPAM-L list a few months ago. If
I recall correctly, most posters seemed to agree that sites which rejected
for this reason were probably not violating the RFC, but were likely to
experience a large number of false positives. At least one site reported
adding points to the SA score on messages from systems which used
syntactically invalid HELO/EHLO parameters.

--
Paul Russell
Senior Systems Administrator
OIT Messaging Services Team
University of Notre Dame

More information about the MIMEDefang mailing list