[Mimedefang] Revisit: Filtering on HELO
Dirk the Daring
dirk at psicorps.org
Thu Mar 15 21:56:56 EDT 2007
All,
Back in November of last year, there was a brief discussion on this
list concerning filtering based on HELO/EHLO. Specifically, requiring a
fully-qualified domain name (FQDN) in HELO. Due to family issues back
then, I didn't have the time necessary to get into an extended discussion
of the topic, but now I'd like to re-visit the subject.
I find HELO-filtering very effective in stopping spammers before they
get to waste my resources. After all, why bother with RBLs, Clam and/or
SpamAssassin if the spammer is stoopid enuf to tip their hand at HELO? At
the same time, I don't want to create a situation where my filter has a
great risk of false-positives.
The specific filter code that drew objection was:
# If the HELO is an FQDN, the index and rindex of "." will not be
# the same
# This catches the spammer using domain.tld (which will slip
# by Check #2)
if ( index($helo, ".") == rindex($helo, ".") )
{
# Reject connection - invalid HELO
return('REJECT', "INVALID HELO/EHLO: $helo is not FQDN");
}
It was placed after a number of other checks that weeded out garbage
like "HELO localhost", "HELO -32189427435" and other obviously-fraudulent
HELO strings (such as a HELO of the receiving host's IP address or
domain).
Some objections were posted, and the relevant posts are in
the mailing list archive -->
http://lists.roaringpenguin.com/pipermail/mimedefang/2006-November/031192.html
My subject today is a specific objection that was raised, to wit:
"(I don't recall any prohibition on a host's name being just its
registered domain, domain.tld)"
Since then, I've done some research. RFC 2821, Section 4.1.1.1, states
(with regard to the HELO and EHLO commands):
The argument field contains the fully-qualified domain name
of the SMTP client if one is available. In situations in which
the SMTP client system does not have a meaningful domain name
(e.g., when its address is dynamically allocated and no reverse
mapping record is available), the client SHOULD send an address
literal (see section 4.1.3), optionally followed by information
that will help to identify the client system.
Which begs the question, what is the definition of "fully-qualified
domain name"? It turns out the term is defined in RFC 1983, which states
on Page 21:
Fully Qualified Domain Name (FQDN)
The FQDN is the full name of a system, rather than just
its hostname. For example, "venera" is a hostname and
"venera.isi.edu" is an FQDN.
So, I stand by my original filter code, which would reject a
"domain.tld" argument to EHLO (or HELO) as not being an FQDN. If the HELO
is not an address literal, then it should be an FDQN.
I've noted that sendmail v8.14.0 introduced the new
FEATURE(`block_bad_helo'), which seems to do some similar HELO-filtering
tasks. However, I've not been able to find any detailed documentation on
exactly how it operates. Looking at the code (srvrsmtp.c, circa lines
1987) it looks fairly liberal. Also, some of the more-useful checks are in
PICKY_HELO_CHECK (srvrsmtp.c, circa line 2286), which is a compile-time
option.
Discussion on this topic is welcome.
Dirk
More information about the MIMEDefang
mailing list