Wow! Can you post the ACLs that do this? I do some of this with great
success but it looks like you have more tricks!
Michael J. Tubby B.Sc. (Hons) wrote:
>
> Myself and Peter Bowyer (also on this list) run mail relays for some
> 250+ domains we do positive blocking on the HELO/EHLO provided
> by the originator - we have several machines that act as relays slaved
> from a common database... relay.thorcom.net, relay.salmark.net,
> relay.omnieng.net ...
>
> Analysing our logs we find that we reject HELO/EHLO from:
>
> a) 'bare' IP addresses, eg.
>
> HELO 1.2.3.4
>
> which if used at all should be
>
> HELO [1.2.3.4]
>
> b) senders saying HELO with our ip address, ie:
>
> HELO [193.82.116.30]
>
> which is the address of relay.thorcom.net
>
> c) senders saying HELO with the IP address of one of our other
> MXs, so bulk mailer connects to relay.thorcom.net and says
> HELO with the IP address of relay.omnieng.net
>
> d) senders that say HELO from a non FQDN, like:
>
> HELO MAILSERVER
> HELO OEMCOMPUTER
>
> the latter being a well known virus. The first one turned out to
> be a broadcast email server for a well known UK accountancy
> software company (name of herb) used to send monthly news
> letters to their customers -- the machine was inside their coporate
> firewall (a PIX by all accounts) natted to the 'net.
>
> e) senders that say HELO for domain names, not hosts
>
> f) senders that say HELO for non-existent host/domains
>
> g) senders that say HELO from domains for which there is no email
> route back, ie. neither a host nor MX, like:
>
> <made-up-garbage>.aol.com
> <made-up-garbage>.microsoft.com
> <made-up-garbage>.<your-domain>.com
>
> nb. this okay to do as there is a requirement to support, as a
> minimum,
> postmaster@domain for bounces
>
>
> In addition we block senders that don't even say HELO/EHLO and
> attempt to proceed directly to envelope, eg. "MAIL FROM: <>".
>
>
> Our approach to handling email from public internet sites/addresses has
> changed to one of "how quickly can we find a reason to not let this
> email in" -- we:
>
> - check/sanitise the HELO/EHLO greeting
>
> - do a sender verify (check the MAIL FROM: domain is routable back)
>
> - do a recipient verify (call forward to the 'next hop' SMTP address and
> check we can deliver the to address)
>
> and only then accept the body of the email.
>
> Over 80% of the email transactions offered to us fail (we reject them)
> before the message body is sent -- this is good because it saves our
> internet
> bandwidth and CPU cycles.
>
>
> To date I have had to put three entries in the whitelist_hosts table in
> our database -- they are all household names that should know better --
> but its a small price to pay for a huge improvement in performance of
> the mail relay system.
>
> Below are a few extracts from our logs.
>
>
> Mike
>
>
>
>
> A non-FQDN:
>
> 2005-04-10 08:45:10 H=(TZH) [61.183.37.164]
> F=<Lindsey.Amos@???> rejected RCPT <kiddies@???>:
> HELO not FQDN : TZH
>
>
> HELO for a recipient's domain name:
>
> 2005-04-10 09:06:06 H=(tobit.co.uk) [62.113.92.195]
> F=<bor@???> rejected RCPT <farlay@???>: Bad HELO:
> tobit.co.uk
>
>
> HELO with bae ip addresses:
>
> 2005-04-10 09:02:59 H=(193.82.116.30) [220.120.215.60]
> F=<judf3wh@???> rejected RCPT <aabbcc_9456@???>: HELO
> with bare IP : 193.82.116.30
> 2005-04-10 09:03:00 H=(193.82.116.30) [220.120.215.60]
> F=<judf3wh@???> rejected RCPT <aabdouni@???>: HELO
> with bare IP : 193.82.116.30
> 2005-04-10 09:03:00 H=(193.82.116.30) [220.120.215.60]
> F=<judf3wh@???> rejected RCPT <aabjly@???>: HELO with
> bare IP : 193.82.116.30
> 2005-04-10 09:03:01 H=(193.82.116.30) [220.120.215.60]
> F=<judf3wh@???> rejected RCPT <aabkj@???>: HELO with
> bare IP : 193.82.116.30
> 2005-04-10 09:03:01 H=(193.82.116.30) [220.120.215.60]
> F=<judf3wh@???> rejected RCPT <aabmj@???>: HELO with
> bare IP : 193.82.116.30
> 2005-04-10 09:03:02 H=(193.82.116.30) [220.120.215.60]
> F=<judf3wh@???> rejected RCPT <aabodrx2pst@???>: HELO
> with bare IP : 193.82.116.30
> 2005-04-10 09:03:02 H=(193.82.116.30) [220.120.215.60]
> F=<judf3wh@???> rejected RCPT <aabom@???>: HELO with
> bare IP : 193.82.116.30
> 2005-04-10 09:03:03 H=(193.82.116.30) [220.120.215.60]
> F=<judf3wh@???> rejected RCPT <aabsq@???>: HELO with
> bare IP : 193.82.116.30
> 2005-04-10 09:03:04 H=(193.82.116.30) [220.120.215.60]
> F=<dihdsy32hqwn@???> rejected RCPT <aabualru@???>: HELO
> with bare IP : 193.82.116.30
> 2005-04-10 09:03:05 H=(193.82.116.30) [220.120.215.60]
> F=<dihdsy32hqwn@???> rejected RCPT <aabuc@???>: HELO with
> bare IP : 193.82.116.30
> 2005-04-10 09:03:05 H=(193.82.116.30) [220.120.215.60]
> F=<dihdsy32hqwn@???> rejected RCPT <aabuck717@???>: HELO
> with bare IP : 193.82.116.30
> 2005-04-10 09:03:06 H=(193.82.116.30) [220.120.215.60]
> F=<dihdsy32hqwn@???> rejected RCPT <aabunaw@???>: HELO
> with bare IP : 193.82.116.30
> 2005-04-10 09:03:06 H=(193.82.116.30) [220.120.215.60]
> F=<dihdsy32hqwn@???> rejected RCPT <aabuq@???>: HELO with
> bare IP : 193.82.116.30
> 2005-04-10 09:03:07 H=(193.82.116.30) [220.120.215.60]
> F=<dihdsy32hqwn@???> rejected RCPT <aabutle@???>: HELO
> with bare IP : 193.82.116.30
> 2005-04-10 09:03:07 H=(193.82.116.30) [220.120.215.60]
> F=<dihdsy32hqwn@???> rejected RCPT <aabvg@???>: HELO with
> bare IP : 193.82.116.30
> 2005-04-10 09:03:08 H=(193.82.116.30) [220.120.215.60]
> F=<dihdsy32hqwn@???> rejected RCPT <aabvj@???>: HELO with
> bare IP : 193.82.116.30
> 2005-04-10 09:03:08 H=(193.82.116.30) [220.120.215.60]
> F=<dihdsy32hqwn@???> rejected RCPT <aabvp@???>: HELO with
> bare IP : 193.82.116.30
> 2005-04-10 09:03:09 H=(193.82.116.30) [220.120.215.60]
> F=<dihdsy32hqwn@???> rejected RCPT <aabvw@???>: HELO with
> bare IP : 193.82.116.30
> 2005-04-10 09:03:09 H=(193.82.116.30) [220.120.215.60]
> F=<dihdsy32hqwn@???> rejected RCPT <aabzi@???>: HELO with
> bare IP : 193.82.116.30
> 2005-04-10 09:03:10 H=(193.82.116.30) [220.120.215.60]
> F=<dihdsy32hqwn@???> rejected RCPT <aac02@???>: HELO with
> bare IP : 193.82.116.30
>
> <snip> ... it just goes on and on :o(
>
>
> People that don't say HELO:
>
> 2005-04-10 08:56:51 SMTP protocol violation: synchronization error
> (input sent without waiting for greeting): rejected connection from
> H=[210.212.246.61]
>
>
>
>
