Re: [exim] Are we being harsh

Top Page
Delete this message
Reply to this message
Author: Marc Perkel
Date:  
To: Michael J. Tubby B.Sc. (Hons)
CC: Exim-Users \(E-mail\)
Subject: Re: [exim] Are we being harsh
Wow! Can you post the ACLs that do this? I do some of this with great
success but it looks like you have more tricks!

Michael J. Tubby B.Sc. (Hons) wrote:

>
> Myself and Peter Bowyer (also on this list) run mail relays for some
> 250+ domains we do positive blocking on the HELO/EHLO provided
> by the originator - we have several machines that act as relays slaved
> from a common database... relay.thorcom.net, relay.salmark.net,
> relay.omnieng.net ...
>
> Analysing our logs we find that we reject HELO/EHLO from:
>
> a) 'bare' IP addresses, eg.
>
>        HELO 1.2.3.4

>
> which if used at all should be
>
>        HELO [1.2.3.4]

>
> b) senders saying HELO with our ip address, ie:
>
>        HELO [193.82.116.30]

>
>    which is the address of relay.thorcom.net

>
> c) senders saying HELO with the IP address of one of our other
>    MXs, so bulk mailer connects to relay.thorcom.net and says
>    HELO with the IP address of relay.omnieng.net

>
> d) senders that say HELO from a non FQDN, like:
>
>        HELO MAILSERVER
>        HELO OEMCOMPUTER

>
>    the latter being a well known virus.  The first one turned out to
>    be a broadcast email server for a well known UK accountancy
>    software company (name of herb) used to send monthly news
>    letters to their customers -- the machine was inside their coporate
>    firewall (a PIX by all accounts) natted to the 'net.

>
> e) senders that say HELO for domain names, not hosts
>
> f) senders that say HELO for non-existent host/domains
>
> g) senders that say HELO from domains for which there is no email
>    route back, ie. neither a host nor MX, like:

>
>         <made-up-garbage>.aol.com
>         <made-up-garbage>.microsoft.com
>         <made-up-garbage>.<your-domain>.com

>
>    nb. this okay to do as there is a requirement to support, as a 
> minimum,
>    postmaster@domain for bounces

>
>
> In addition we block senders that don't even say HELO/EHLO and
> attempt to proceed directly to envelope, eg. "MAIL FROM: <>".
>
>
> Our approach to handling email from public internet sites/addresses has
> changed to one of "how quickly can we find a reason to not let this
> email in" -- we:
>
> - check/sanitise the HELO/EHLO greeting
>
> - do a sender verify (check the MAIL FROM: domain is routable back)
>
> - do a recipient verify (call forward to the 'next hop' SMTP address and
> check we can deliver the to address)
>
> and only then accept the body of the email.
>
> Over 80% of the email transactions offered to us fail (we reject them)
> before the message body is sent -- this is good because it saves our
> internet
> bandwidth and CPU cycles.
>
>
> To date I have had to put three entries in the whitelist_hosts table in
> our database -- they are all household names that should know better --
> but its a small price to pay for a huge improvement in performance of
> the mail relay system.
>
> Below are a few extracts from our logs.
>
>
> Mike
>
>
>
>
> A non-FQDN:
>
> 2005-04-10 08:45:10 H=(TZH) [61.183.37.164]
> F=<Lindsey.Amos@???> rejected RCPT <kiddies@???>:
> HELO not FQDN : TZH
>
>
> HELO for a recipient's domain name:
>
> 2005-04-10 09:06:06 H=(tobit.co.uk) [62.113.92.195]
> F=<bor@???> rejected RCPT <farlay@???>: Bad HELO:
> tobit.co.uk
>
>
> HELO with bae ip addresses:
>
> 2005-04-10 09:02:59 H=(193.82.116.30) [220.120.215.60]
> F=<judf3wh@???> rejected RCPT <aabbcc_9456@???>: HELO
> with bare IP : 193.82.116.30
> 2005-04-10 09:03:00 H=(193.82.116.30) [220.120.215.60]
> F=<judf3wh@???> rejected RCPT <aabdouni@???>: HELO
> with bare IP : 193.82.116.30
> 2005-04-10 09:03:00 H=(193.82.116.30) [220.120.215.60]
> F=<judf3wh@???> rejected RCPT <aabjly@???>: HELO with
> bare IP : 193.82.116.30
> 2005-04-10 09:03:01 H=(193.82.116.30) [220.120.215.60]
> F=<judf3wh@???> rejected RCPT <aabkj@???>: HELO with
> bare IP : 193.82.116.30
> 2005-04-10 09:03:01 H=(193.82.116.30) [220.120.215.60]
> F=<judf3wh@???> rejected RCPT <aabmj@???>: HELO with
> bare IP : 193.82.116.30
> 2005-04-10 09:03:02 H=(193.82.116.30) [220.120.215.60]
> F=<judf3wh@???> rejected RCPT <aabodrx2pst@???>: HELO
> with bare IP : 193.82.116.30
> 2005-04-10 09:03:02 H=(193.82.116.30) [220.120.215.60]
> F=<judf3wh@???> rejected RCPT <aabom@???>: HELO with
> bare IP : 193.82.116.30
> 2005-04-10 09:03:03 H=(193.82.116.30) [220.120.215.60]
> F=<judf3wh@???> rejected RCPT <aabsq@???>: HELO with
> bare IP : 193.82.116.30
> 2005-04-10 09:03:04 H=(193.82.116.30) [220.120.215.60]
> F=<dihdsy32hqwn@???> rejected RCPT <aabualru@???>: HELO
> with bare IP : 193.82.116.30
> 2005-04-10 09:03:05 H=(193.82.116.30) [220.120.215.60]
> F=<dihdsy32hqwn@???> rejected RCPT <aabuc@???>: HELO with
> bare IP : 193.82.116.30
> 2005-04-10 09:03:05 H=(193.82.116.30) [220.120.215.60]
> F=<dihdsy32hqwn@???> rejected RCPT <aabuck717@???>: HELO
> with bare IP : 193.82.116.30
> 2005-04-10 09:03:06 H=(193.82.116.30) [220.120.215.60]
> F=<dihdsy32hqwn@???> rejected RCPT <aabunaw@???>: HELO
> with bare IP : 193.82.116.30
> 2005-04-10 09:03:06 H=(193.82.116.30) [220.120.215.60]
> F=<dihdsy32hqwn@???> rejected RCPT <aabuq@???>: HELO with
> bare IP : 193.82.116.30
> 2005-04-10 09:03:07 H=(193.82.116.30) [220.120.215.60]
> F=<dihdsy32hqwn@???> rejected RCPT <aabutle@???>: HELO
> with bare IP : 193.82.116.30
> 2005-04-10 09:03:07 H=(193.82.116.30) [220.120.215.60]
> F=<dihdsy32hqwn@???> rejected RCPT <aabvg@???>: HELO with
> bare IP : 193.82.116.30
> 2005-04-10 09:03:08 H=(193.82.116.30) [220.120.215.60]
> F=<dihdsy32hqwn@???> rejected RCPT <aabvj@???>: HELO with
> bare IP : 193.82.116.30
> 2005-04-10 09:03:08 H=(193.82.116.30) [220.120.215.60]
> F=<dihdsy32hqwn@???> rejected RCPT <aabvp@???>: HELO with
> bare IP : 193.82.116.30
> 2005-04-10 09:03:09 H=(193.82.116.30) [220.120.215.60]
> F=<dihdsy32hqwn@???> rejected RCPT <aabvw@???>: HELO with
> bare IP : 193.82.116.30
> 2005-04-10 09:03:09 H=(193.82.116.30) [220.120.215.60]
> F=<dihdsy32hqwn@???> rejected RCPT <aabzi@???>: HELO with
> bare IP : 193.82.116.30
> 2005-04-10 09:03:10 H=(193.82.116.30) [220.120.215.60]
> F=<dihdsy32hqwn@???> rejected RCPT <aac02@???>: HELO with
> bare IP : 193.82.116.30
>
> <snip> ... it just goes on and on :o(
>
>
> People that don't say HELO:
>
> 2005-04-10 08:56:51 SMTP protocol violation: synchronization error
> (input sent without waiting for greeting): rejected connection from
> H=[210.212.246.61]
>
>
>
>