Autor: Alan J. Flavell Data: A: Exim users list Assumpte: Re: [exim] Exim rejects: syntactically invalid argument
On Wed, 28 Sep 2005, Marc Sherman wrote:
> Adding these HELO checks to my ACLs has been on my todo list for a
> while. This thread got me interested in them again, so I did a quick
> search of my mainlog to find how many messages I was getting from
> hosts saying HELO as projectile.ca.
That's mighty curious. We support several email domains on the same
server, but the number of HELOs which present one of our own domains
is very different for the different domains, as it turns out. So far
this week: 35 for one, 573 for another, and 3 for a third.
We see lots which HELO with our dotted IP address (629 so far this
week).
> So out of 9408 HELO entries in my logs, 29 were bogus projectile.ca
> hosts, and of those, only 2 made it as far as the DATA acl
Sounds good...
> The other 27 were mostly rejected by recipient or sender
> verification (without callouts) in the RCPT acl.
We see a different pattern here. Amongst these HELO-fakers there are
plenty of valid recipients, plenty of sender addresses that I reckon
would pass even callout verification if we gave them the chance
(though some of them are faking sender addresses in our own domain).
They might be caught at this stage by some other means (DNSrbl,
primarily) but that's not certain. Seems to me that this simple HELO
test is well worth the minimal overhead involved.
(However, like every revisit to the configuration, I see there's a few
bits of dead wood for spamming patterns that were prevalent at one
time but are now disused.)
> So I guess I don't need to rush to add HELO checks to my acls, after
> all.
In your case, maybe. I'm sure we'll keep ours, though - it's a
sure-fire test of bogosity, and cheap to test.