Re: [Exim] forged HELO/EHLO addresses

Página Inicial
Delete this message
Reply to this message
Autor: Alan J. Flavell
Data:  
Para: Exim Users Mailing List
Assunto: Re: [Exim] forged HELO/EHLO addresses
On Wed, 12 Nov 2003, Alan J. Flavell wrote:

> On Wed, 12 Nov 2003, Greg A. Woods wrote, quoting me:
>
> > > On the other hand, something like "HELO 11.22.33.44" would slip past
> > > the above recipe unchallenged.
> >
> > You should think about fixing that -- a good chunk of spam I see which
> > gets past many other checks is sent that way.
>
> OK, I'll put in a warning,


I did that...

> and let you know how effective it is.


...and this is me with an update.

My colleague (hi Chris) at the central mailer reminds me that he and I
had actually discussed this point a couple of months back. Reviewing
the emails from then, and the results of the present warning, it seems
that from our observations (note that any MTA that presents *our own*
IP address in their HELO *will* be blocked by us and never gets as far
as what we're discussing here):

* there are just a few bona fide remote MTAs (make that
"otherwise-bona-fide", if you want) who are presenting numeric IPs
(without square brackets) in their HELO

* there are quite a few spammers that are doing so

* many of the spammers get blocked by us for some other reason

* some of the numeric IPs that get presented are from private address
space - usually 192.168.*.* , and these seem to have a fair chance of
being bona fide senders. But spammers are also represented amongst
those.

He had concluded that presenting a numeric IP without square brackets
was worth 3 spamassassin points, on the scale that we use (>8 points
causes rejection as spam; >5 points counts as suspicious).

I can see that putting an absolute block on presenting numeric IP in
the HELO would require us to also maintain additional whitelist
entries. And, as I say, in any case many of the spammers who
presented such HELO are already getting blocked for other reasons
(local blacklists, DNSrbl etc. as well as callback repudiation of the
counterfeited sender address[1]) before they get as far as
spamassassin rating.

Conclusion: I find myself in agreement with Chris - tossing in a few
extra spamassassin points is an OK response; the number of items that
get that far is sufficiently small that we don't need to worry about
the overhead.

If we were to try an absolute block, on the other hand, then we'd have
the extra maintenance commitment of whitelisting.

Hope that's of interest to the list members.

all the best

[1] Don't let's fight that one again - I just mentioned it for
completeness of the report.