Re: [Exim] forged HELO/EHLO addresses

Top Page
Delete this message
Reply to this message
Author: Ken Lowther
Date:  
To: exim-users
Subject: Re: [Exim] forged HELO/EHLO addresses
Could some one point me to where I would find the info to do this?

Thanks.

Ken

Quoting "Alan J. Flavell" <a.flavell@???>:

> On Sun, 16 Nov 2003, Suresh Ramasubramanian wrote:
>
> [omigosh, one could hardly get two so-different postmastering
> situations. I'm *so* relieved that we can agree, even if the details
> are very different.]
>
> > > * there are just a few bona fide remote MTAs (make that
> > > "otherwise-bona-fide", if you want) who are presenting numeric IPs
> > > (without square brackets) in their HELO
> >
> > LSOFT ListServ installs typically. Completely broken behavior of course,
> > but ListServ is used to run some large and legit lists.
>
> Oh, I see. I hadn't realised the significance that they appeared to
> be distribution lists, which was why I hadn't specially mentioned it
> before. Thanks.
>
> > > I can see that putting an absolute block on presenting numeric IP in
> > > the HELO would require us to also maintain additional whitelist
> >
> > We don't have the luxury of running spamassasin on our inbound mail as
> > this would be really tough to do in real time on our typical mail volume.
>
> Indeed.
>
> > The one you mentioned (HELO one.of.our.ips / HELO one.of.our.hostnames /
> > HELO one.of.our.domains, direct to our MX, from an IP that is not in our
> > subnets) is cast iron spamsign and catches us several hundred thousand
> > pieces of spam a day.
>
> Yup, we're doing both of those. One has to wonder what the spammers'
> strategy is here - are they deliberately offering us a way of blocking
> their spam, or are they just too dumb to realise?
>
> > Other stuff - like HELO yahoo.com from an IP that doesn't have yahoo rDNS,
> > catches us a whole lot more.
>
> Interesting, thanks.
>
> > Helo filtering is something that, done right, gives us near zero
> > collateral damage for relatively simple rules.
>
> We're taking some note of that kind of discrepancy, but chiefly by
> throwing some spam points into the spamassassin calculation. Which,
> as you say, wouldn't be feasible on your scale. But it works well for
> us on our departmental mailer (provided there's someone who's
> sufficiently annoyed by spam to tune the filters, which in our case is
> little old me). It's working well for the campus central mailer too,
> now that they've got some server boxes able to carry the load.
>
> cheers
>
> --
>
> ## List details at http://www.exim.org/mailman/listinfo/exim-users Exim
> details at http://www.exim.org/ ##
>
>



Ken Lowther
Comprehensive Internet Services
Vice President