Autor: Suresh Ramasubramanian Fecha: A: Alan J. Flavell Cc: Exim Users Mailing List Asunto: Re: [Exim] forged HELO/EHLO addresses
<quote who="Alan J. Flavell"> > * there are just a few bona fide remote MTAs (make that
> "otherwise-bona-fide", if you want) who are presenting numeric IPs
> (without square brackets) in their HELO
LSOFT ListServ installs typically. Completely broken behavior of course,
but ListServ is used to run some large and legit lists.
> I can see that putting an absolute block on presenting numeric IP in
> the HELO would require us to also maintain additional whitelist
We don't have the luxury of running spamassasin on our inbound mail as
this would be really tough to do in real time on our typical mail volume.
So we have been trying various other HELO combinations.
The one you mentioned (HELO one.of.our.ips / HELO one.of.our.hostnames /
HELO one.of.our.domains, direct to our MX, from an IP that is not in our
subnets) is cast iron spamsign and catches us several hundred thousand
pieces of spam a day.
Other stuff - like HELO yahoo.com from an IP that doesn't have yahoo rDNS,
catches us a whole lot more.
Helo filtering is something that, done right, gives us near zero
collateral damage for relatively simple rules.
