Interesting observation. Unfortunately I don't keep historical data for
individual rejection reasons (possibly I should), but my feeling (and
it's only that) is that there has been an increase in the use of domain
literals as HELO/EHLO strings. Although (AFAIK) these are perfectly
legal, we now reject mail where the HELO/EHLO string is a domain literal
of the sending IP address AND there is no rDNS for the sending IP
address.
We also reject where the HELO/EHLO string is a single word (i.e. no "."
in it, so it can't be a FQDN or domain literal) AND there is no rDNS on
the sending IP.
No complaints about either of these so far (they probably count for
upwards of 5% of all rejections, despite being fairly late in the
sequence of tests).
I'd love to reject wherever there is no rDNS, but I think there would be
too many false positives involved. (I know that some here take the view
that this is not a false positive, but our users are likely to regard a
message that is not spam, and does not originate from a known source of
spam, as one that should be delivered). That's not to say it can't be
given a score in SpamAssassin though.
On a slightly related issue - I have an idea that the hit rate from RBLs
(we prinicpally use MAPS+ and Spamhaus) may not be as high is it was a
couple of months ago. Does anyone else have the same feeling (or any
data to confirm/deny)?
Regards
Richard
--
Richard Rogers
IT Development and Innovation Manager
Information Services, Staffordshire University
> -----Original Message-----
> From: exim-users-bounces@???
> [mailto:exim-users-bounces@exim.org] On Behalf Of Phil Pennock
> Sent: 19 September 2007 10:32
> To: exim-users@???
> Subject: [exim] HELO/EHLO reject rates
>
> It appears that the effectiveness of filtering out known-bad HELO/EHLO
> has dropped somewhat in the past few months:
>
>
> http://people.spodhuis.org/phil.pennock/img/exim-reject.2007-09-19.png
>
> http://people.spodhuis.org/phil.pennock/img/exim-reject.2007-0
> 9-19.ylog.png
>
> Of course, this is in absolute numbers rather than a rate of HELOs
> received so it could be a lull in the connection attempts
> overall, but I
> doubt it, especially given the recent issues people have seen with
> parallel connections for major pumping.
>
> The y-axis is how many SMTP connections have been rejected, per day,
> based on this HELO/EHLO string; the normal IP in the legend is my
> system's IPv4 address -- I don't like remote people sending
> me my own IP
> address in HELO.
>
> This system is for a private colocation host handling a few personal
> domains with a very few non-local users (local user count is 2).
> Between 130 and 400 mails per day are actually delivered, mostly spam
> into spam-folders.
>
> -Phil
>
> --
> ## List details at http://lists.exim.org/mailman/listinfo/exim-users
> ## Exim details at http://www.exim.org/
> ## Please use the Wiki with this list - http://wiki.exim.org/
>
The information in this email is confidential and is intended solely for the addressee. Access to this email by anyone else is unauthorised.
If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, except for the purpose of delivery to the addressee, is prohibited and may be unlawful. Kindly notify the sender and delete the message and any attachment from your computer.
,%20but%20my%20feeling%20(and%0A>%20it's%20only%20that)%20is%20that%20there%20has%20been%20an%20increase%20in%20the%20use%20of%20domain%0A>%20literals%20as%20HELO/EHLO%20strings.%20Although%20(AFAIK)%20these%20are%20perfectly%0A>%20legal,%20we%20now%20reject%20mail%20where%20the%20HELO/EHLO%20string%20is%20a%20domain%20literal%0A>%20of%20the%20sending%20IP%20address%20AND%20there%20is%20no%20rDNS%20for%20the%20sending%20IP%0A>%20address.%0A>%20%0A>%20We%20also%20reject%20where%20the%20HELO/EHLO%20string%20is%20a%20single%20word%20(i.e.%20no%20%22.%22%0A>%20in%20it,%20so%20it%20can't%20be%20a%20FQDN%20or%20domain%20literal)%20AND%20there%20is%20no%20rDNS%20on%0A>%20the%20sending%20IP.%0A>%20%0A>%20No%20complaints%20about%20either%20of%20these%20so%20far%20(they%20probably%20count%20for%0A>%20upwards%20of%205%%20of%20all%20rejections,%20despite%20being%20fairly%20late%20in%20the%0A>%20sequence%20of%20tests).%0A>%20%0A>%20I'd%20love%20to%20reject%20wherever%20there%20is%20no%20rDNS,%20but%20I%20think%20there%20would%20be%0A>%20too%20many%20false%20positives%20involved.%20(I%20know%20that%20some%20here%20take%20the%20view%0A>%20that%20this%20is%20not%20a%20false%20positive,%20but%20our%20users%20are%20likely%20to%20regard%20a%0A>%20message%20that%20is%20not%20spam,%20and%20does%20not%20originate%20from%20a%20known%20source%20of%0A>%20spam,%20as%20one%20that%20should%20be%20delivered).%20That's%20not%20to%20say%20it%20can't%20be%0A>%20given%20a%20score%20in%20SpamAssassin%20though.%0A>%20%0A>%20On%20a%20slightly%20related%20issue%20-%20I%20have%20an%20idea%20that%20the%20hit%20rate%20from%20RBLs%0A>%20(we%20prinicpally%20use%20MAPS+%20and%20Spamhaus)%20may%20not%20be%20as%20high%20is%20it%20was%20a%0A>%20couple%20of%20months%20ago.%20Does%20anyone%20else%20have%20the%20same%20feeling%20(or%20any%0A>%20data%20to%20confirm/deny)?%0A>%20%0A>%20Regards%0A>%20%0A>%20Richard%0A>%20%0A>%20--%0A>%20Richard%20Rogers%0A>%20IT%20Development%20and%20Innovation%20Manager%0A>%20Information%20Services,%20Staffordshire%20University%0A>%20%20%0A>%20%0A>%20>%20-----Original%20Message-----%0A>%20>%20From:%20exim-users-bounces@???%20%0A>%20>%20%5Bmailto:exim-users-bounces@exim.org%5D%20On%20Behalf%20Of%20Phil%20Pennock%0A>%20>%20Sent:%2019%20September%202007%2010:32%0A>%20>%20To:%20exim-users@???%0A>%20>%20Subject:%20%5Bexim%5D%20HELO/EHLO%20reject%20rates%0A>%20>%20%0A>%20>%20It%20appears%20that%20the%20effectiveness%20of%20filtering%20out%20known-bad%20HELO/EHLO%0A>%20>%20has%20dropped%20somewhat%20in%20the%20past%20few%20months:%0A>%20>%20%0A>%20>%20%20%0A>%20>%20http://people.spodhuis.org/phil.pennock/img/exim-reject.2007-09-19.png%0A>%20>%20%20%0A>%20>%20http://people.spodhuis.org/phil.pennock/img/exim-reject.2007-0%0A>%20>%209-19.ylog.png%0A>%20>%20%0A>%20>%20Of%20course,%20this%20is%20in%20absolute%20numbers%20rather%20than%20a%20rate%20of%20HELOs%0A>%20>%20received%20so%20it%20could%20be%20a%20lull%20in%20the%20connection%20attempts%20%0A>%20>%20overall,%20but%20I%0A>%20>%20doubt%20it,%20especially%20given%20the%20recent%20issues%20people%20have%20seen%20with%0A>%20>%20parallel%20connections%20for%20major%20pumping.%0A>%20>%20%0A>%20>%20The%20y-axis%20is%20how%20many%20SMTP%20connections%20have%20been%20rejected,%20per%20day,%0A>%20>%20based%20on%20this%20HELO/EHLO%20string;%20the%20normal%20IP%20in%20the%20legend%20is%20my%0A>%20>%20system's%20IPv4%20address%20--%20I%20don't%20like%20remote%20people%20sending%20%0A>%20>%20me%20my%20own%20IP%0A>%20>%20address%20in%20HELO.%0A>%20>%20%0A>%20>%20This%20system%20is%20for%20a%20private%20colocation%20host%20handling%20a%20few%20personal%0A>%20>%20domains%20with%20a%20very%20few%20non-local%20users%20(local%20user%20count%20is%202).%0A>%20>%20Between%20130%20and%20400%20mails%20per%20day%20are%20actually%20delivered,%20mostly%20spam%0A>%20>%20into%20spam-folders.%0A>%20>%20%0A>%20>%20-Phil%0A>%20>%20%0A>%20>%20--%20%0A>%20>%20##%20List%20details%20at%20http://lists.exim.org/mailman/listinfo/exim-users%20%0A>%20>%20##%20Exim%20details%20at%20http://www.exim.org/%0A>%20>%20##%20Please%20use%20the%20Wiki%20with%20this%20list%20-%20http://wiki.exim.org/%0A>%20>%20%0A>%20%0A>%20%0A>%20The%20information%20in%20this%20email%20is%20confidential%20and%20is%20intended%20solely%20for%20the%20addressee.%20%20Access%20to%20this%20email%20by%20anyone%20else%20is%20unauthorised.%20%20%0A>%20%0A>%20%0A>%20%0A>%20If%20you%20are%20not%20the%20intended%20recipient,%20any%20disclosure,%20copying,%20distribution%20or%20any%20action%20taken%20or%20omitted%20to%20be%20taken%20in%20reliance%20on%20it,%20except%20for%20the%20purpose%20of%20delivery%20to%20the%20addressee,%20is%20prohibited%20and%20may%20be%20unlawful.%20%20Kindly%20notify%20the%20sender%20and%20delete%20the%20message%20and%20any%20attachment%20from%20your%20computer.%0A>%20%0A>%20 "Reply to this message")
