Re: [exim] Are we being harsh

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
M+\Tony Finch at <-
MMMMMark Smith at ->
Delete this message
Reply to this message
Author: Michael J. Tubby B.Sc. \(Hons\)
Date:  
To: Exim-Users \(E-mail\)
Subject: Re: [exim] Are we being harsh

----- Original Message -----
From: "Jethro R Binks" <jethro.binks@???>
To: "Exim-Users (E-mail)" <exim-users@???>
Sent: Monday, April 04, 2005 1:56 PM
Subject: Re: [exim] Are we being harsh


> On Mon, 4 Apr 2005, Matthew Newton wrote:
>
>> I did, however, block localhost.localdomain. That catches up to 100 bad
>> messages a day. Also block the FQDNs and IPs of my servers; that catches
>> on average 30,000 connections a day! Well worth doing. I didn't believe
>> the spammers would be so thick.
>
> I do this too; however it does suffer from false positives. I have had a
> number of queries about it over the couple of years I've been doing this.
> In each case, I have advised the sender that the system is ill-configured
> and should be giving something more accurate than that default. I haven't
> yet had to whitelist or make other provision (I don't think I've ever had
> a follow-up; whether the system is fixed or the sender gives up, I've no
> idea).
>
> It may be a little dangerous in that respect, but until I get a serious
> complaint about it I'm willing to run with the false positives and issue
> advice appropriately when queried.
>
> Jethro.
>
> . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
> .
> Jethro R Binks
> Computing Officer, IT Services
> University Of Strathclyde, Glasgow, UK
>

Myself and Peter Bowyer (also on this list) run mail relays for some
250+ domains we do positive blocking on the HELO/EHLO provided
by the originator - we have several machines that act as relays slaved
from a common database... relay.thorcom.net, relay.salmark.net,
relay.omnieng.net ...

Analysing our logs we find that we reject HELO/EHLO from:

a) 'bare' IP addresses, eg. 

        HELO 1.2.3.4


which if used at all should be 

        HELO [1.2.3.4]


b) senders saying HELO with our ip address, ie: 

        HELO [193.82.116.30]


    which is the address of relay.thorcom.net


c) senders saying HELO with the IP address of one of our other
    MXs, so bulk mailer connects to relay.thorcom.net and says
    HELO with the IP address of relay.omnieng.net


d) senders that say HELO from a non FQDN, like: 

        HELO MAILSERVER
        HELO OEMCOMPUTER


    the latter being a well known virus.  The first one turned out to
    be a broadcast email server for a well known UK accountancy
    software company (name of herb) used to send monthly news
    letters to their customers -- the machine was inside their coporate
    firewall (a PIX by all accounts) natted to the 'net.


e) senders that say HELO for domain names, not hosts

f) senders that say HELO for non-existent host/domains 

g) senders that say HELO from domains for which there is no email
    route back, ie. neither a host nor MX, like:


         <made-up-garbage>.aol.com
         <made-up-garbage>.microsoft.com
         <made-up-garbage>.<your-domain>.com


    nb. this okay to do as there is a requirement to support, as a minimum,
    postmaster@domain for bounces



In addition we block senders that don't even say HELO/EHLO and
attempt to proceed directly to envelope, eg. "MAIL FROM: <>".


Our approach to handling email from public internet sites/addresses has
changed to one of "how quickly can we find a reason to not let this
email in" -- we:

- check/sanitise the HELO/EHLO greeting

- do a sender verify (check the MAIL FROM: domain is routable back)

- do a recipient verify (call forward to the 'next hop' SMTP address and
check we can deliver the to address)

and only then accept the body of the email.

Over 80% of the email transactions offered to us fail (we reject them)
before the message body is sent -- this is good because it saves our
internet
bandwidth and CPU cycles.


To date I have had to put three entries in the whitelist_hosts table in
our database -- they are all household names that should know better --
but its a small price to pay for a huge improvement in performance of
the mail relay system.

Below are a few extracts from our logs.


Mike




A non-FQDN:

2005-04-10 08:45:10 H=(TZH) [61.183.37.164] F=<Lindsey.Amos@???>
rejected RCPT <kiddies@???>: HELO not FQDN : TZH


HELO for a recipient's domain name:

2005-04-10 09:06:06 H=(tobit.co.uk) [62.113.92.195] F=<bor@???>
rejected RCPT <farlay@???>: Bad HELO: tobit.co.uk


HELO with bae ip addresses:

2005-04-10 09:02:59 H=(193.82.116.30) [220.120.215.60]
F=<judf3wh@???> rejected RCPT <aabbcc_9456@???>: HELO with
bare IP : 193.82.116.30
2005-04-10 09:03:00 H=(193.82.116.30) [220.120.215.60]
F=<judf3wh@???> rejected RCPT <aabdouni@???>: HELO with
bare IP : 193.82.116.30
2005-04-10 09:03:00 H=(193.82.116.30) [220.120.215.60]
F=<judf3wh@???> rejected RCPT <aabjly@???>: HELO with bare
IP : 193.82.116.30
2005-04-10 09:03:01 H=(193.82.116.30) [220.120.215.60]
F=<judf3wh@???> rejected RCPT <aabkj@???>: HELO with bare
IP : 193.82.116.30
2005-04-10 09:03:01 H=(193.82.116.30) [220.120.215.60]
F=<judf3wh@???> rejected RCPT <aabmj@???>: HELO with bare
IP : 193.82.116.30
2005-04-10 09:03:02 H=(193.82.116.30) [220.120.215.60]
F=<judf3wh@???> rejected RCPT <aabodrx2pst@???>: HELO with
bare IP : 193.82.116.30
2005-04-10 09:03:02 H=(193.82.116.30) [220.120.215.60]
F=<judf3wh@???> rejected RCPT <aabom@???>: HELO with bare
IP : 193.82.116.30
2005-04-10 09:03:03 H=(193.82.116.30) [220.120.215.60]
F=<judf3wh@???> rejected RCPT <aabsq@???>: HELO with bare
IP : 193.82.116.30
2005-04-10 09:03:04 H=(193.82.116.30) [220.120.215.60]
F=<dihdsy32hqwn@???> rejected RCPT <aabualru@???>: HELO with
bare IP : 193.82.116.30
2005-04-10 09:03:05 H=(193.82.116.30) [220.120.215.60]
F=<dihdsy32hqwn@???> rejected RCPT <aabuc@???>: HELO with bare
IP : 193.82.116.30
2005-04-10 09:03:05 H=(193.82.116.30) [220.120.215.60]
F=<dihdsy32hqwn@???> rejected RCPT <aabuck717@???>: HELO with
bare IP : 193.82.116.30
2005-04-10 09:03:06 H=(193.82.116.30) [220.120.215.60]
F=<dihdsy32hqwn@???> rejected RCPT <aabunaw@???>: HELO with
bare IP : 193.82.116.30
2005-04-10 09:03:06 H=(193.82.116.30) [220.120.215.60]
F=<dihdsy32hqwn@???> rejected RCPT <aabuq@???>: HELO with bare
IP : 193.82.116.30
2005-04-10 09:03:07 H=(193.82.116.30) [220.120.215.60]
F=<dihdsy32hqwn@???> rejected RCPT <aabutle@???>: HELO with
bare IP : 193.82.116.30
2005-04-10 09:03:07 H=(193.82.116.30) [220.120.215.60]
F=<dihdsy32hqwn@???> rejected RCPT <aabvg@???>: HELO with bare
IP : 193.82.116.30
2005-04-10 09:03:08 H=(193.82.116.30) [220.120.215.60]
F=<dihdsy32hqwn@???> rejected RCPT <aabvj@???>: HELO with bare
IP : 193.82.116.30
2005-04-10 09:03:08 H=(193.82.116.30) [220.120.215.60]
F=<dihdsy32hqwn@???> rejected RCPT <aabvp@???>: HELO with bare
IP : 193.82.116.30
2005-04-10 09:03:09 H=(193.82.116.30) [220.120.215.60]
F=<dihdsy32hqwn@???> rejected RCPT <aabvw@???>: HELO with bare
IP : 193.82.116.30
2005-04-10 09:03:09 H=(193.82.116.30) [220.120.215.60]
F=<dihdsy32hqwn@???> rejected RCPT <aabzi@???>: HELO with bare
IP : 193.82.116.30
2005-04-10 09:03:10 H=(193.82.116.30) [220.120.215.60]
F=<dihdsy32hqwn@???> rejected RCPT <aac02@???>: HELO with bare
IP : 193.82.116.30

<snip> ... it just goes on and on :o(


People that don't say HELO:

2005-04-10 08:56:51 SMTP protocol violation: synchronization error (input
sent without waiting for greeting): rejected connection from
H=[210.212.246.61]





This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-Re: [exim] Sender calloutsRE: [exim] Are we being harsh->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)