[ On Tuesday, July 1, 2003 at 09:03:38 (+0100), Alun wrote: ]
> Subject: [Exim] Re: Now well off-topic
>
> Can we hit reality here at some point? I run Aberystwyth's mail servers. Out
> of interest, I turned on logging of "helo" data yesterday morning. In the
> last 23 hours it's logged 44082 messages from outside Aber. Of those, 2490
> had only one component to the name given by "helo".
>
> Forgetting any other considerations of correctness/reverse dns/whatever, if
> I blocked 1 in every 18 messages coming in from outside on the basis of
> invalid HELO alone, I'd be chased by a hoard of people with flaming torches.
You can't be sure unless you've also examined the content of those
messages.
> HELO data might be a diagnostic pointer to possible spam, but that's about
> all I think anyone running a medium to big site would dare to use it for in
> the real world.
I and others have noticed for many years now that the vast majority of
foreign clients that use such completely invalid hostnames are spammers
and spammers alone.
Many ISPs with diverse user bases commonly reject all HELO commands with
invalid syntax (including underscores, but especially unqualified names
and incorrectly formatted address literals). Of those ISPs who do this
and which I help support, I know that only a very tiny fraction of the
blocked messages ever result in any complaints from either customers or
from the client-SMTP sites.
Here's a tiny snippet of the stats from one such ISP for yesterday's
24 hours of traffic:
87400 Total incoming SMTP connections.
812 connections rejected by smtp_reject_hosts.
3077 connections rejected by possible invalid address literal syntax
37707 connections rejected by DNSBL
115 connections rejected by smtp_hello_reject_hostnames.
1541 connections rejected by invalid hello operand
9814 connections rejected by unqualified hello operand
13 connections rejected by no such host and no valid PTR
8602 connections rejected by broken PTR or spoofed DNS
We've never had any complaints from customers that traced back to a
problem with invalid address literal syntax.
Over the past five years or so we've probably only had only a handful of
complaints related to unqualified hostnames, and those were fixed by the
postmasters of the offending sites in a matter of hours.
We do get regular complaints about those in the last category (broken
PTR or spoofed DNS). Sites such as supernews.com might fall into that
category, though few are multi-homed servers like theirs, and instead
are just completely DNS-naive people who gladly accept the help we offer
and fix their DNS as soon as possible. Oddly though many of those sites
never contact us for help and none of our users ever complain that they
are not getting any e-mail from such sites and thus we must conclude
that they are probably spammers too.
As you might guess from the above stats this ISP in particular doesn't
reject HELO commands if the hostname doesn't resolve to a matching A
record. Most small ISPs I deal with don't feel they can afford to block
the likes of hotmail.com and msn.com, especially when their competitors
don't do so either. It would be really wonderful if a significant
number of ISPs could simply pull the plug on Hotmail until they fixed
their stupid mailers, but I guess we won't see that happen any day soon
and the only pressure on Hotmail and their ilk will come from private
sites like mine where we have no known correspondents using such
services.
(note those 13 with "no such host and no valid PTR" are probably clients
that used a valid address literal but which don't have PTRs -- we
require PTRs only for clients using address literals)
--
Greg A. Woods
+1 416 218-0098; <g.a.woods@???>; <woods@???>
Planix, Inc. <woods@???>; VE3TCP; Secrets of the Weird <woods@???>
