Tony Finch <dot(_at_)dotat(_dot_)at> wrote:
Some stats from the logs on one of my MX hosts:
Total rejections: 123921
Failed HELO checks: 101417
Impressive!
(One question though: how do repeat attempts for the same email
count here?)
Forward DNS correct: 2128
Total accepted: 31754
Failed HELO checks: 13349
Forward DNS correct: 3196
"HELO checks" means that the reverse DNS and forward DNS and HELO domain
must match. This was checked at SMTP time by Exim. "Forward DNS correct"
means that an A lookup on the HELO domain yields the client's IP address.
This was checked just now by a simple program based on adns. (It's useful
to be able to sustain 10000 concurrent DNS queries when doing this kind of
job.)
So, today this machine has rejected 80% of incoming messages.
Better than JLC, I must admit. :^)
Of the rejected messages, 80% have a completely bad HELO domain, and 2%
have a HELO domain that's correct only in the forward direction.
(I'm not sure why you reject that 2%.)
Of the accepted messages, 32% have a completely bad HELO domain, and 10%
have a HELO domain that's correct only in the forward direction.
I would definitely expect to continue much the same HELO checks you
now do (when CSV becomes well-deployed), and merely use CSV to bypass
the rejection for sessions both authenticated and authorized (or at least,
for _some_ of those).
--
John Leslie <john(_at_)jlc(_dot_)net>