On Wed, Sep 28, 2005 at 03:56:37PM -0400, Marc Sherman wrote:
> Adding these HELO checks to my ACLs has been on my todo list for a
> while. This thread got me interested in them again, so I did a quick
> search of my mainlog to find how many messages I was getting from hosts
> saying HELO as projectile.ca.
>
> # exigrep "H=.*" mainlog* | grep -v "^$" | wc -l
> 9408
> # exigrep "H=[^=]*\([^)]*projectile\.ca\)" mainlog* | grep -v "^$" | wc -l
> 29
> # exigrep ".{6}-.{6}-.{2} H=[^=]*\([^)]*projectile\.ca\)" mainlog* |
> grep -v "^$" | wc -l
> 2
...
>
> So I guess I don't need to rush to add HELO checks to my acls, after all.
Slightly more here:
$ exigrep "H=.*" mainlog | grep -v "^$" | wc -l
113347
$ exigrep "Forged HELO my" mainlog | grep -v "^$" | wc -l
2447
This is the results from one of our mail hubs, from midnight last
night until just now (i.e. just under 22 hours). We block bad HELO
info, and log it (using logwrite) as "Forged HELO my [reason]".
Reasons for blocking are simple; things such as connecting with
our IP address, or with the name of one of our mail hubs. Today
we've therefore blocked approximately 2.1% of incoming connections
on these tests.
Checking these individually gives:
$ egrep "Forged HELO my domain" mainlog | wc -l
1838
$ egrep "Forged HELO my IP" mainlog | wc -l
597
$ egrep "Forged HELO my FQDN" mainlog | wc -l
12
I guess it depends how big and visible you are, and how much you
are targetted.
Matthew
--
Matthew Newton <mcn4@???>
UNIX and e-mail Systems Administrator, Network Support Section,
Computer Centre, University of Leicester,
Leicester LE1 7RH, United Kingdom