On Thu, 29 Sep 2005, Alun wrote:
> My ACL says:
For clarification please - is this at HELO time? When we originally
set ours up (admittedly some years back now), we found that rejection
at HELO time would provoke some offering MTAs into repeated retries -
in some cases, very aggressively so. I suspect "drop" would be even
worse...?
So we deferred rejection until RCPT time, which seemed to be the most
effective way of getting them off our backs. OK, true, some peer
MTA-like objects (a certain majority vendor comes to mind) then have a
habit of hiding our actual error report, and lying to the would-be
sender that the intended recipient does not exist - but that's not our
responsibility...
I have to admit that we didn't review what would happen nowadays if we
moved the rejection back to the earlier phase. We just left it where
it was.
> drop condition = ${if or {\
> {eq {$sender_helo_name}{[$interface_address]}}\
> {eq {$sender_helo_name}{$interface_address}}\
> {eq {$sender_helo_name}{$primary_hostname}}\
> {eq {$sender_helo_name}{aber.ac.uk}}\
> {eq {$sender_helo_name}{mailserv.aber.ac.uk}}\
> {eq {$sender_helo_name}{mailserv2.aber.ac.uk}}\
> }{yes}{no}}
>
> This happens before greylisting and has matched 28,565 attempts since
> Sunday
Have you been looking-out specifically for retry patterns in response
to that stanza, could you say, please?
By the way, if we're doing numbers, I should stress that the numbers
which I mentioned, were basically for one department (even though I
mentioned several domains within).
I could add that (rather obviously) the fakers who present a
particular domain of ours in the HELO are also presenting a recipient
address in that specific domain. At least, that appears to be the
regular pattern of their behaviour. So I suppose the proportion of
each domain that's presented in HELO ought to be measured against the
number of attempts to spam addresses in that respective domain.
cheers
