Re: [exim] HELO retries?

Ian Eiloart wrote:
> --On 27 March 2008 20:22:52 +0000 Graeme Fowler <graeme@???> wrote:
>
>
>> On Thu, 2008-03-27 at 12:27 -0700, Marc Perkel wrote:
>>
>>> I'm seeing something interesting. In the HELO acl if I issue a DENY I'm
>>> seeing servers doing a retry of the HELO. Is this normal?
>>>
>> Yes, perfectly. It's termed a "woodpecker". There are multiple records
>> of badly written mail applications hammering away for days until the
>> message times out.
>>
>> Better to reject after RCPT or DATA for some applications, as they then
>> go away permanently.
>>
>> Graeme
>>
>
> Apart from anything else, you should allow people to send email to
> postmaster, so that if they've got a bad HELO argument then at least they
> can get your advice on it.
>
>
>

Actually it was a situation where I was rejecting them at HELO for being
blacklisted in one of my own blacklist. You might be wondering why I did
it at HELO rather than connect. but I have a reason.

What I was doing was waiting for the HELO to see if there were any HELO
sins to note. Then I would issue a DENY rather than a DROP. Then I would
look to see if the closed the connection with a QUIT or let it time out.

The combination of having connected on one of my fake high numbered MX
records, with a HELO sin and no QUIT is a positive indicator that the
sender is a virus infected spambot and I can then send a message into my
blacklisting system that will start the 4 day clock again on that IP so
it won't expire.

Of course, I never thought that anyone would retry a HELO.

I am now not doing that. I'm now rejecting at the MAIL level or under
high load levels doing a DROP at connect.

I'm just thinking. I should write a configuration guide for setting up
Exim to deal with high load levels and put it on the Wiki.