On 12-Jan-16 4:50 PM, Mike Brudenell wrote:
> Intriguing! I'd always assumed that a client/server pair had to proceed
> through a HELO/EHLO before MAIL FROM then RCPT TO could be considered, and
> given that thought like Marius that rejecting the HELO/EHLO with a 5xx
> response code couldn't proceed into accepting a message.
>
> But looking at the section on HELO/EHLO in the RFC for SMTP
> <https://tools.ietf.org/html/rfc5321#section-4.1.1.1> it transpires that
> it's only a SHOULD requirement:
>
> "A client SMTP SHOULD start an SMTP session by issuing the EHLO command."
That's a good find, Mike, thanks for your reply. Never thought of it
this way, because in my opinion this behaviour it's rather un-intuitive.
Hell, all this years I kept issuing HELO's in telnet sessions when I
could spare some important brain-time :)
Anyway, the quick fix was replacing the deny statement with drop. This
will achieve the expected result, as it instantly closes the connection
after the incorrect HELO. It's not like those insistent spammers would
care though, check the timestamps below:
2016-01-12 16:50:29 H=121-73-98-209.cable.telstraclear.net (ylmf-pc)
[121.73.98.209] rejected EHLO or HELO ylmf-pc: SPAM remote host has
blacklisted HELO.
2016-01-12 16:50:30 H=121-73-98-209.cable.telstraclear.net (ylmf-pc)
[121.73.98.209] rejected EHLO or HELO ylmf-pc: SPAM remote host has
blacklisted HELO.
2016-01-12 16:50:31 H=121-73-98-209.cable.telstraclear.net (ylmf-pc)
[121.73.98.209] rejected EHLO or HELO ylmf-pc: SPAM remote host has
blacklisted HELO.
2016-01-12 16:50:32 H=121-73-98-209.cable.telstraclear.net (ylmf-pc)
[121.73.98.209] rejected EHLO or HELO ylmf-pc: SPAM remote host has
blacklisted HELO.
2016-01-12 16:50:33 H=121-73-98-209.cable.telstraclear.net (ylmf-pc)
[121.73.98.209] rejected EHLO or HELO ylmf-pc: SPAM remote host has
blacklisted HELO.
2016-01-12 16:50:34 H=121-73-98-209.cable.telstraclear.net (ylmf-pc)
[121.73.98.209] rejected EHLO or HELO ylmf-pc: SPAM remote host has
blacklisted HELO.
2016-01-12 16:50:35 H=121-73-98-209.cable.telstraclear.net (ylmf-pc)
[121.73.98.209] rejected EHLO or HELO ylmf-pc: SPAM remote host has
blacklisted HELO.
I guess it's time to feed these IPs to fail2ban.
Marius