Author: Wakko Warner Date: To: Richard Clayton CC: exim-users Subject: Re: [exim] denying my IP in helo, easy retry for spammers?
Please keep me in CC
Richard Clayton wrote: > In message <20050831203756.GA1312@???>, Wakko Warner
> <wakko@???> writes
> >I thought about recording the first seen HELO from an IP address to a
> >database. If that IP connects and uses a different HELO, it gets
> >blacklisted and thus useless. I have not tried it though.
>
> This will -- in practice -- give you the wrong result with NAT, with
> dynamic address space, and with anyone who runs more than one piece of
> software. Some will argue that it should not, and others that you
> didn't want email from such sources anyway. You may or may not choose to
> believe such arguments :)
>
> That said, I find it's an excellent heuristic for detecting problems,
> but I use it as a basis for further examination of customer sending
> problems, not as a reason for rejecting email. So there is no need for
> it to be a perfect heuristic -- and the first paragraph of my reply
> indicates the usual problems with it that I see daily....
As I stated, I haven't tried it and didn't give too much thought to it.
Since I host for only myself, it's not so bad. I thought about that when I
saw an IP that was listed in an RBL hit with serveral different HELO strings.
> BTW you'd need to time out entries over some sort of fairly short period
> to avoid being caught out by ISPs renaming their cluster machines... :)
I hadn't thought of this, however how often does it happen. I'd say if an
ISP did this, they would notice rather quickly. An alternative would be to
bypass this check if the HELO resolves to the connecting IP. I've seen spam
with an HELO of the hostname of the zombie according to DNS so that wouldn't
work all that well either. If just everyone had a router and a private IP, it
would be much easier to block based on this.
--
Lab tests show that use of micro$oft causes cancer in lab animals
Got Gas???