Re: [Exim] caching HELO/EHLO data

Top Page
Delete this message
Reply to this message
Author: Jethro R Binks
Date:  
To: Ollie Cook
CC: exim-users
Subject: Re: [Exim] caching HELO/EHLO data
Ollie!

Apologies, this message isn't about what you posted, but I knew I was
vaguely familiar with someone at Clara and your message was timely.

Who is an appropriate contact for your Usenet infrastructure person?
Claranet currently provide a feed into JANET. I'm part of the team that
is implementing the new JANET news feed service, and we need to get some
changes made. Most of the ISP details we received from the previous
server managers are sketchy at best.

Here's the data we currently have:

# Description:                  ClaraNET UK
# News-Name:                    newspeer.clara.net/
# News-Server:                  newspeer.clara.net
# IP address of News-Server:    195.8.68.195
# News Software and version:    Cyclone v1.4.2
# Hardware of News-Server:      Sun E450, 2 CPUS, 1Gb RAM
# Other sites that feed you:    At present 84 concurrent feeds. See stats at http://newspeer.clara.net/
# Hierachies required:          all
# Feed-To:                      janet.news.clara.net
# Accept-From:                  newspeer.clara.net
# MaxStreams:                   2
# Contact-Person:               Mark Ivens
# Contact-Phone:                +44 207 903 3010
# Contact-Fax:                  020 7903 3001
# Contact-Email:                newsmaster@???
# Alternative Contact-Person:   Dave Williams
# Alternative Contact-Phone:    020 7903 3008
# Alternative Contact-Fax:
# Alternative Contact-Email:    dave@??? ops@???
# Janet/RAL tickets:
# Date added:                   4 Jul 00


Are the newsmaster@??? dave@??? ops@??? contacts
still useable for this purpose?

Ta,

Jethro.

p.s. Your patch sounds very handy. When I next upgrade, if Philip hasn't
implemented, then I'll certainly consider applying it.


On Wed, 3 Mar 2004, Ollie Cook wrote:

> I have rolled a patch against Exim 4.30 to detect hosts who identify themselves
> using different HELO/EHLO arguments over time, since this helps detect two
> patterns of spam software that we see at our site:
>
>  - hosts that HELO as yahoo.com, then hotmail.com then yahoo.co.uk etc.
>  - hosts that HELO as hosteddomain1.com, then hosteddomain2.org etc. where
>    the HELO argument matches recipient domain

>
> This is implemented in terms of another hints database in Exim with a short
> (configurable) timeout. A new variable is available containing the most
> recently cached value which can then be used in ACLs if needed to compare
> against what the client actually said in HELO/EHLO.
>
> e.g.
>
>   # Deny from hosts with changing HELO/EHLO
>   deny    message   = rejected HELO/EHLO argument \
>                       [$previous_sender_helo_name (cached) != $sender_helo_name]
>           condition = ${if and {\
>                                 {def:sender_helo_name}\
>                                 {def:previous_sender_helo_name}\
>                                }\
>                                {${if eq{$sender_helo_name}\
>                                        {$previous_sender_helo_name}\
>                                        {no}{yes}}}\
>                                {no}}

>
> However, it seems that some legitimate sites change their HELO/EHLO argument
> quite frequently, despite the connecting IP address being constant.
>
> e.g.
>
> 2004-03-03 10:46:01 detected change in EHLO argument from mxpool13.ebay.com [66.135.197.19] (mx27.sjc.ebay.com -> mx28.sjc.ebay.com)
> 2004-03-03 10:46:39 detected change in EHLO argument from mxpool13.ebay.com [66.135.197.19] (mx28.sjc.ebay.com -> mx27.sjc.ebay.com)
> 2004-03-03 10:51:45 detected change in HELO argument from mail-kr.bigfoot.com [211.115.216.222] (mail-kr.bigfoot.com -> bigfoot.com)
> 2004-03-03 10:54:50 detected change in HELO argument from mail-kr.bigfoot.com [211.115.216.222] (bigfoot.com -> mail-kr.bigfoot.com)
>
> RFC 2821 section 4.1.1.1 says:
>
>   |    server.  The argument field contains the fully-qualified domain name
>   |    of the SMTP client if one is available.

>
> I take this to imply that it's reasonable to expect that hosts should only
> identify themselves with one constant string. Do others concur, or know of any
> other place where the consistency of HELO/EHLO arguments is discussed?
>
> If any one would like to test this patch, please email me off list.
>
> Cheers,
>
> Ollie
> --
> Oliver Cook    Systems Administrator, Claranet UK
> ollie@???               +44 20 7903 3065

>
> --
>
> ## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at http://www.exim.org/ ##
>
>



. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Jethro R Binks
Computing Officer, IT Services
University Of Strathclyde, Glasgow, UK