Re: [Exim] Opinions sought: Most effective spam reduction te…

Top Page
Delete this message
Reply to this message
Author: Richard Clayton
Date:  
To: exim-users
Subject: Re: [Exim] Opinions sought: Most effective spam reduction techniques
In message <1092964626.6899.197.camel@???>, Kjetil
Torgrim Homme <kjetilho@???> writes

>On Tue, 2004-08-17 at 12:35 +0000, Peter Bowyer wrote:
>> I suggest (and use) the following set of measures in our virtual-domain
>> system, in order of increasing cost:
>>
>> 1. HELO checking - disallow bare IPs, HELO with any of your domains[1],
>> HELO not FQDN[1]
>> [...]
>> We've not found any FP issues at all with stages 1-6
>
>really? we have 2-3 cases per week where we reject e-mail from systems
>without FQDN HELO, or the name contains underscore, or their nameserver
>isn't responding (sender verify). we also get the odd false positive
>from sites which are open relays. changing our policy isn't being
>considered, and indeed many of these sites have fixed the problem after
>we told them about.
>
>(I call these false positives since the recipient actively wants the
>correspondence.)


Just FYI, this weekend I came across the following "false positive" for
"don't accept email that says HELO to yourself"

This is from a DLink DI-704P (a popular make of router, used to provide
home networking behind a cable modem or similar). This has a function to
email its status log to a given email address. The ONLY setting the user
provides is the destination, in this case I used richard@???

The incoming email looked like this (with a few xxx's obscuring
irrelevant details for privacy)

    Return-path: <richard@???>
    Received: from xxxxxxxx.cable.ubr05.shef.blueyonder.co.uk
        ([82.38.xxx.xx] helo=highwayman.com)
        by mail.highwayman.com with esmtp (Exim 4.41)
        id 1ByVsR-0003pG-7B
        for richard@???; Sat, 21 Aug 2004 14:25:47 +0100
    Subject: Router log


    --- Log Begin ---
    etc


so from this evidence the router clearly looked up the MX record for
highwayman.com and then proceeded to

    HELO        highwayman.com
    MAIL FROM   richard@???
    RCPT TO     richard@???


which is of course "broken" and could be relatively easily fixed by the
firmware writer, but prior to that ever occurring, of course I would
still view it as a "false positive" since I rather wanted the email

I think there's quite of lot of this manufacturer's kit out there :(

- -- 
richard @ highwayman . com                       "Nothing seems the same
                          Still you never see the change from day to day
                                And no-one notices the customs slip away"