[Mimedefang] Revisit: Filtering on HELO

Jeff Rife mimedefang at nabs.net
Mon Mar 26 08:33:39 EDT 2007 

On 25 Mar 2007 at 21:22, Philip Prindeville wrote:

> > And, since you can stop so much without ever violating the RFC on HELO, 
> > why even bother?  Tossing out non-FQDN, IP addresses (not address-
> > literals, but bare IPs), and hostnames/address literals that resolve to 
> > non-routable IPs would leave you with almost nothing left that wouldn't 
> > "verify".
> >   
> 
> Huh?  You've just said that you can't toss out anything
> that comes from the HELO command, if you're arguing for
> strict compliance with RFC-1123, section 5.2.5.

No, the various RFCs 821/2821/1123 say you can't reject the HELO 
because it doesn't resolve to the same IP that the connection came 
from.  But, you can toss it for other reasons, like violating syntax.

>From RFC 2821:

  Only resolvable, fully-qualified, domain names (FQDNs) are permitted
  when domain names are used in SMTP.

  The domain name given in the EHLO command MUST BE either a primary
  host name (a domain name that resolves to an A RR) or, if the host
  has no name, an address literal as described in section 4.1.1.1.

This allows you to toss everything I said that you quoted above.

> > I don't even bother with the full check for resolving to non-routable 
> > IPs (I don't do any DNS checks, so I only toss obvious ones) and still 
> > see HELO checking stopping about half the potential spam, with 
> > greylisting stopping the other half.  Only about 2-5% of what was 
> > obviously spam makes it through to SpamAssassin.
> >   
> 
> Again, I'm not understanding what you're saying.  The one
> test that RFC-1123 sanctions is ensuring that the name
> is an FQDN that's resolvable...  You're saying you don't
> make this test?

Correct, because it is *slow*, especially for sources that are truly 
bad.  By simply doing some smart coding (no dots in the name means not 
FQDN, bogon IP as an address literal isn't resolvable, one of my 
domains in the hostname would resolve to a private address *for me*, 
etc.), I avoid an expensive network check but still cover almost all 
real-life problem sources.

I've tested things like this before by running them before the virus 
and spam filtering but after everything else, and have found that the 
following catch only around 5% of what was left, which just isn't 
enough to be worth the time:

- non-resolvable HELO argument
- sender e-mail address doesn't exist (using callback to check)


--
Jeff Rife | "What's goin' on down here?" 
          | "Oh, we're playing house." 
          | "But, that boy is all tied up." 
          | "...Roman Polanski's house." 
          |         -- Lois and Stewie Griffin, "Family Guy"

More information about the MIMEDefang mailing list