[Mimedefang] Re: Requiring FQDN in HELO
Paul Whittney
pwhittney at net.arrivetech.com
Fri Dec 30 18:03:32 EST 2005
I think I found that doing too much blocking on the helo line caused too many
dropped emails, so I dropped only on those systems pretending to be our
ip address. While reading all the email here, I looked over my filter, and
found I'd left logging turned on for a helo with no period in it. I must have
been looking into the helo blocking with the mind set of "only domains
and IP's allowed, therefore everything without a . in it must be bad" (not
sure if the logic is correct, which is probably why I left it alone ;-)
I also looked at checking the hostip in filter_sender with the IP passed
in the helo.
(I think I got this from somewhere else, sorry for the reproduction):
if ($helo =~ /^\[?(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\]?$/
and $1 ne $hostip) {
Since I keep 30 days of logs, I thought I'd see what it turns up;
out of 78963 emails,
6246 tripped the no-dots.
2923 tripped the hostip != helo
1752 tripped the local-helo (our domain from external)
6 tripped the "forged AOL"
That last one seems to be a waste of programming, this was something I
wanted to test after reading:
http://postmaster.aol.com/faq/mailerfaq.html#syntax
which came out as:
if ($sender =~ /\@aol\.com$/ && $sender ne 'mailer-daemon at aol.com'
&& $sender !~ /^[a-z][a-z0-9]{2,15}\@aol\.com$/) {
But the effort of checking just to catch 6 of 78000 emails, doesn't seem
worth it.
I started to look at the no-dots logs, and there are some that look like:
IP, helo
218.238.171.96,q8yCOr
218.238.171.96,FMlje4vD
218.238.171.96,WHb7br2w
and within the same minute.
Is it likely the same IP would email multiple times, using random helo's?
I suppose it could be a NAT'd connection, and some firewall altering
the helo headers on the fly.
Also I've seen;
221.208.147.6,-1208586384
And at least half of the entries are the numerical field (both negative,
and positive, but the numbers dont repeat). Perhaps a spam program's htons
has broken, or something. I think I might look into blocking localhost,
for all external IP's, but it only accounts for 540 emails.
-Paul
--
Paul Whittney ArriveTech, Inc.
Network Specialist / Systems Engineer / |670 West 36th Street,
/--|Erie, PA, 16508, USA
PWhittney [at] arrivetech.com (Main) / |www.arrivetech.com
PWhittney [at] net.arrivetech.com (Aux) / |Tel: 814 868 3306
More information about the MIMEDefang
mailing list