Author: Alan J. Flavell Date: To: Exim users list Subject: Re: [Exim] exim fine-tuning
On Mon, 19 Apr 2004, Scott Call wrote:
> I'm also fairly aggressive with reject HELOs with non domain literal
> IPs, and my local hostname, which kills a lot of automated attacks.
Seems to be there are three main cases to be considered:
1) HELO domain matches one of our own domains
2) HELO "domain" turns out to be in fact a dotted-decimal IP number
(often, our own). If it's not our own, we spam-rate it: if it -is-
our own, we reject.
3) HELO contains sender's dotted-decimal IP in [ ] brackets.
Case 3 is technically legal in theory, but pretty much obsolete
in practice. We reject them, at any rate from non-relay hosts (except
for mail to the postmaster or abuse addresses), and I don't recall any
complaints from would-be sending MTAs.
Cases 1 and 2 are surprisingly widespread, considering that they
appear to be a sure-fire indicator of abuse. It's a puzzle to me just
why abusers would make themselves so obvious: what do they hope to
gain from it? Is there -any- mailer where either of these options
yield some positive benefit?
There are some other cases that might be discussed too.
4) HELO strings which contain invalid characters.
Based on occasional perusal of the rejections: aside from underscore
(which is nauseatingly frequent), I recall one bunch of cases where
the string was "$domain", which was presumably some spamware which the
spammer has omitted to configure in the way that its author had
intended; and then there's a bunch of what appear to be Korean
character-strings in some character encoding or other.
5) HELO strings which are unqualified names
We don't outright reject these currently, but in practice they seem to
be strongly associated with viruses or spammer attacks. We toss quite
a few points into the spamassassin score.
