Brad Knowles <brad(_dot_)knowles(_at_)skynet(_dot_)be> wrote:
the HELO line
claiming to be play.gamerz.net (my MTA) must be the specified
IP (or one of the specified IPs).
Trivially easy to by-pass. Just claim to be 127.0.0.1, or
10.0.0.1, or some other IP address. Or maybe your "real" external IP
address (assuming you have some reliable way of determining that,
even though you might be behind a NAT or whatever).
The IP in EHLO not matching the source IP of the SMTP session is a
strong indication of spam. The IP in EHLO being the IP of the
recipient MTA is an even stronger indication of spam.
And the use of an IP in EHLO is correlated with spam, at least in
my experience, and for the people I've talked to.
There's a reason why the RFC says that you don't validate the
hostname claimed in HELO/EHLO. It takes too much time, and is too
easy to by-pass.
Not quite. RFC 2821, Section 4.l.4, paragraph 6 discusses the
correlation of host name in EHLO to IP, and says that a lack of
correlation doesn't mean anything.
For the purposes of RMX-style solutions, that correlation is never
checked, and is therefore never used to make a decision about the SMTP
transaction. That section of RFC 2821 is therefore not violated by
RMX-style solutions.
Alan DeKok.
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg