[Mimedefang] Re: Requiring FQDN in HELO

Paul Whittney pwhittney at net.arrivetech.com
Fri Dec 30 18:03:32 EST 2005 

I think I found that doing too much blocking on the helo line caused too many
dropped emails, so I dropped only on those systems pretending to be our
ip address. While reading all the email here, I looked over my filter, and
found I'd left logging turned on for a helo with no period in it. I must have
been looking into the helo blocking with the mind set of "only domains 
and IP's allowed, therefore everything without a . in it must be bad" (not 
sure if the logic is correct, which is probably why I left it alone ;-)

I also looked at checking the hostip in filter_sender with the IP passed 
in the helo.
(I think I got this from somewhere else, sorry for the reproduction):
  if ($helo =~ /^\[?(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\]?$/
	and $1 ne $hostip) {

Since I keep 30 days of logs, I thought I'd see what it turns up;
	out of 78963 emails,
	6246 tripped the no-dots.
	2923 tripped the hostip != helo
	1752 tripped the local-helo (our domain from external)
	6 tripped the "forged AOL"

That last one seems to be a waste of programming, this was something I 
wanted to test after reading: 
http://postmaster.aol.com/faq/mailerfaq.html#syntax
which came out as:
 if ($sender =~ /\@aol\.com$/ && $sender ne 'mailer-daemon at aol.com'
	&& $sender !~ /^[a-z][a-z0-9]{2,15}\@aol\.com$/) {

But the effort of checking just to catch 6 of 78000 emails, doesn't seem 
worth it.

I started to look at the no-dots logs, and there are some that look like:
IP, helo
218.238.171.96,q8yCOr
218.238.171.96,FMlje4vD
218.238.171.96,WHb7br2w
and within the same minute.

Is it likely the same IP would email multiple times, using random helo's?
I suppose it could be a NAT'd connection, and some firewall altering
the helo headers on the fly.

Also I've seen;
221.208.147.6,-1208586384

And at least half of the entries are the numerical field (both negative,
and positive, but the numbers dont repeat). Perhaps a spam program's htons 
has broken, or something. I think I might look into blocking localhost,
for all external IP's, but it only accounts for 540 emails.

-Paul

-- 
Paul Whittney                                  ArriveTech, Inc.
Network Specialist / Systems Engineer         / |670 West 36th Street,
                                             /--|Erie, PA, 16508, USA
PWhittney [at] arrivetech.com (Main)        /   |www.arrivetech.com 
PWhittney [at] net.arrivetech.com (Aux)    /    |Tel: 814 868 3306

More information about the MIMEDefang mailing list