Author: Alan J. Flavell Date: To: Exim Users Mailing List Subject: Re: [Exim] forged HELO/EHLO addresses
On Sun, 16 Nov 2003, Suresh Ramasubramanian wrote:
[omigosh, one could hardly get two so-different postmastering
situations. I'm *so* relieved that we can agree, even if the details
are very different.]
> > * there are just a few bona fide remote MTAs (make that
> > "otherwise-bona-fide", if you want) who are presenting numeric IPs
> > (without square brackets) in their HELO
>
> LSOFT ListServ installs typically. Completely broken behavior of course,
> but ListServ is used to run some large and legit lists.
Oh, I see. I hadn't realised the significance that they appeared to
be distribution lists, which was why I hadn't specially mentioned it
before. Thanks.
> > I can see that putting an absolute block on presenting numeric IP in
> > the HELO would require us to also maintain additional whitelist
>
> We don't have the luxury of running spamassasin on our inbound mail as
> this would be really tough to do in real time on our typical mail volume.
Indeed.
> The one you mentioned (HELO one.of.our.ips / HELO one.of.our.hostnames /
> HELO one.of.our.domains, direct to our MX, from an IP that is not in our
> subnets) is cast iron spamsign and catches us several hundred thousand
> pieces of spam a day.
Yup, we're doing both of those. One has to wonder what the spammers'
strategy is here - are they deliberately offering us a way of blocking
their spam, or are they just too dumb to realise?
> Other stuff - like HELO yahoo.com from an IP that doesn't have yahoo rDNS,
> catches us a whole lot more.
Interesting, thanks.
> Helo filtering is something that, done right, gives us near zero
> collateral damage for relatively simple rules.
We're taking some note of that kind of discrepancy, but chiefly by
throwing some spam points into the spamassassin calculation. Which,
as you say, wouldn't be feasible on your scale. But it works well for
us on our departmental mailer (provided there's someone who's
sufficiently annoyed by spam to tune the filters, which in our case is
little old me). It's working well for the campus central mailer too,
now that they've got some server boxes able to carry the load.