[Mimedefang] Revisit: Filtering on HELO
Jeff Rife
mimedefang at nabs.net
Mon Mar 26 08:33:39 EDT 2007
On 25 Mar 2007 at 21:22, Philip Prindeville wrote:
> > And, since you can stop so much without ever violating the RFC on HELO,
> > why even bother? Tossing out non-FQDN, IP addresses (not address-
> > literals, but bare IPs), and hostnames/address literals that resolve to
> > non-routable IPs would leave you with almost nothing left that wouldn't
> > "verify".
> >
>
> Huh? You've just said that you can't toss out anything
> that comes from the HELO command, if you're arguing for
> strict compliance with RFC-1123, section 5.2.5.
No, the various RFCs 821/2821/1123 say you can't reject the HELO
because it doesn't resolve to the same IP that the connection came
from. But, you can toss it for other reasons, like violating syntax.
>From RFC 2821:
Only resolvable, fully-qualified, domain names (FQDNs) are permitted
when domain names are used in SMTP.
The domain name given in the EHLO command MUST BE either a primary
host name (a domain name that resolves to an A RR) or, if the host
has no name, an address literal as described in section 4.1.1.1.
This allows you to toss everything I said that you quoted above.
> > I don't even bother with the full check for resolving to non-routable
> > IPs (I don't do any DNS checks, so I only toss obvious ones) and still
> > see HELO checking stopping about half the potential spam, with
> > greylisting stopping the other half. Only about 2-5% of what was
> > obviously spam makes it through to SpamAssassin.
> >
>
> Again, I'm not understanding what you're saying. The one
> test that RFC-1123 sanctions is ensuring that the name
> is an FQDN that's resolvable... You're saying you don't
> make this test?
Correct, because it is *slow*, especially for sources that are truly
bad. By simply doing some smart coding (no dots in the name means not
FQDN, bogon IP as an address literal isn't resolvable, one of my
domains in the hostname would resolve to a private address *for me*,
etc.), I avoid an expensive network check but still cover almost all
real-life problem sources.
I've tested things like this before by running them before the virus
and spam filtering but after everything else, and have found that the
following catch only around 5% of what was left, which just isn't
enough to be worth the time:
- non-resolvable HELO argument
- sender e-mail address doesn't exist (using callback to check)
--
Jeff Rife | "What's goin' on down here?"
| "Oh, we're playing house."
| "But, that boy is all tied up."
| "...Roman Polanski's house."
| -- Lois and Stewie Griffin, "Family Guy"
More information about the MIMEDefang
mailing list