Re: [Exim] forged HELO/EHLO addresses

Top Page
Delete this message
Reply to this message
Author: Alan J. Flavell
Date:  
To: Chris Edwards
CC: Exim users list
Subject: Re: [Exim] forged HELO/EHLO addresses
On Wed, 12 Nov 2003, Chris Edwards wrote:

[quoting me, AJF:]
> | substantial proportion of the requests that we've rejected recently on
> | the grounds of their HELO domain have been attempts to bounce to a
> | non-existent address in one of our domains. The addresses all have a
> | plausible user name plus a random two-letter suffix, with or without
> | an underscore, e.g major_dukes_qw or amy_henleyfp etc. I've mentioned
> | this pattern before in a different context, it's presumably extruded
> | by some prolific ratware? So I think these calls are coming from
> | spam-targets who are either trying callout with us to check the
> | counterfeited sender address, or attempting to bounce the spam to its
> | supposed sender - from the log, one can't tell which.
>
> I'm not quite understand this.


Alright, I'm not certain that _I_ do, to be honest.

The only alternatives that I can think of to the two possibilities
mentioned above, is that these are direct attempts by spammers -
either to spam us while camouflaging their spam as bounces ("delivery
status notifications" whatever) - or to persuade us to validate an
address list for them.

> If spam-targets are sending callouts or
> bounces, then shurely the HELOs should be fine ?


Those wouldn't fall into the category I described above, though.
I was specifically picking the ones that had failed the HELO
"syntax check".

I'll contact you off-list about this, and if we come up with anything
of general interest we can report back - OK?

cheers