David Woodhouse wrote: > On Mon, 2006-11-06 at 22:49 +0100, Renaud Allard wrote:
>> I have set some rules that stores helo names in a mysql database and I
>> used it to block sites when the helo domain (only the domain part)
>> changed within small time intervals. However, it seems that some (many?)
>> legit mailservers behave this way. So I would advise you against doing
>> this. Changing the helo for the same IP is a very bad idea IMHO, but
>> blocking on this only will reject legit mails.
>
> When connecting manually to what seems to be a recalcitrant server, I'll
> often type 'helo me' -- and if I _do_ attempt to type my own hostname
> I'll probably mistype it a large proportion of the time anyway.
>
If you type 'helo me', I will reject your mail anyway as you don't even
try to give an FQDN (and I don't know you :))
> I consider those to be 'valid' cases in which the same IP address will
> connect with different greetings -- in addition to the point about
> people deliberately varying their greeting according to the domain of
> the sender.
In section 3.2 of RFC2821:
Once the server has sent the welcoming message and the client has
received it, the client normally sends the EHLO command to the
server, indicating the client's identity.
It just depends on how people interpret "client's identity". For me,
this means the identity of server (acting as a client in this case), so
the HELO should be consistent whatever the sending domain is. So varying
the HELO would be somewhat valid in a case where the clients are behind
some kind of NAT. But, as I said, varying the HELO is IMHO not a good
idea as it prevents verifications.
If everyone in the world was required to have matching HELO, PTR, A
record, blocking spam would become more trivial as zombies would be
identified very easily and you would just have to have a list of spam
sending servers. That's why I think we should slowly evolve to such a
behavior. But that's my own opinion.
