Kjetil Torgrim Homme wrote:
> On Thu, 2006-01-19 at 08:04 +0800, Bill Hacker wrote:
>
>>Andrew - Supernews wrote:
>>
>>>It is a _NORMAL_ case for the HELO domain to be different to the domain
>>
>>"Not uncommon", yes, Dunno if 'Normal' fits so well w/r MTA's.
>
>
> very few properly set up servers will have the domain name as their
> hostname.
There is often a prefix (or several) but it is there... we haven't seen
a lot of raw IP's lately.
> can you imagine yahoo.com being an actual host handling
> e-mail? that would have to be a serious piece of hardware :-)
Dispersed clusters, actually. As most large ISP's are.
Yahoo passes the test:
2005-12-03 01:34:47 1EiMHV-0007FN-F8 <= ob-fu-scated@???
H=web15008.mail.cnb.yahoo.com [202.165.103.65]:22861
I=[203.194.153.81]:25 P=smtp S=19983
id=20051203013231.12507.qmail@???
So does aol:
2006-01-15 20:22:02 1EyENs-000KND-IC <= ob-fu-scated@???
H=imo-m20.mx.aol.com [64.12.137.1]:38788 I=[203.194.153.81]:25 P=esmtp
S=3183 id=1e3.4aceed8a.30fc0800@???
And gmail:
2006-01-17 08:57:23 1EymeQ-0001ag-LQ <= ob-fu-scated@???
H=uproxy.gmail.com [66.249.92.193]:39470 I=[203.194.153.81]:25 P=esmtp
S=6286 id=5bb6e4250601170053w4c6d4bdfmac6d1f6bf23b821d@???
And hotmail:
2006-01-18 13:54:52 1EzDlk-0008dL-Is <= ob-fu-scated@???
H=bay111-f29.bay111.hotmail.com (hotmail.com) [64.4.17.39]:65444
I=[203.194.153.81]:25 P=esmtp S=574274
id=BAY111-F29FCDC7159714A03C0E8F4C51D0@???
Note <domain>.<tld> in the helo, the sender's address, and even the
messageID in most.
I don't care about the prefixes, or *which* of their many MTA is active,
so long as it is (one of) theirs.
Rejectlog also shows hundreds of forged attempts masquerading as yahoo,
msn, aol, etc. that were rejected as NOT theirs for each bona-fide message.
FWIW MSN/hotmail (mixed), ATTGlobal/prsrv/netvigator (mixed), and the
exim mailing list server at Cambridge (other priorities?) all
consistently fail this small test, but seldom set a foot wrong
otherwise, hence go on to completion.
>
>
>>Most of the truants abandoned the connection in the first 30-45 seconds
>>of their *first* jail term, 'didn't last a minute' IOW.
>>
>>Well-behaved MTA are more patient than the average spam engine.
>
>
> we only advertise pipelining to hosts where HELO matches the reverse
> DNS:
>
> pipelining_advertise_hosts = ${if eq {$sender_host_name}{$sender_helo_name}\
> {*}{}}
We don't necessarily advertise pipelining *at all*.
Nor would we miss it anymore than the 'big guns' above, who, save for
one errant box, one instance, 'downshift' when it is not available.
Their frantic imposters usually fail that test also.
>
> (I'm afraid there's a one in three chance this will happen to your
> server, since Exim will just pick the first PTR returned.)
>
True, (not that it would be noticed) but this isn't about matching helo
to the PTR.
It's about matching the 'helo' to the domain in the sender's address.
> we also incur a small delay (10s) for "suspicious" behaviour, and this
> does indeed cause many callers to be booted due to non-conforming SMTP
> implementations. if they do behave, we don't penalise them further with
> SA score or such.
>
Try the number of 'rudeness' points times (n)1 seconds at stage one,
(n)(n) seconds at stage (n)..... ;-)
*NO* incoming avoids SA & ClamAV here, but not all get that far.
> of course we don't try to infer any connection between HELO and MAIL
> FROM.
Different strokes.....
Bill
