Hector Santos wrote:
Paul,
I'm surprise you are suggesting these spoof attempts doesn't exist in
the real world because of the simplicity or dubious nature. The fact
is, the frequency of HELO/EHLO spoofing of all sorts is very high.
I'm not convinced that, at the moment, you can call it 'spoofing'. It is
currently extremely rare to block a message based on a bad EHLO
parameter (because RFC 2821, 5321 prohibit that), so spammers really
don't care. If lots of recipients started blocking messages based on
that, it'd take all of a couple of hours for the spammers to work around it.
In our experience of supporting small businesses' mail servers it is
actually very rare to check the EHLO parameter at all. We have customers
who have their server set to send 'EHLO server' for many years, and then
suddenly come across a recipient which requires a syntactically correct
host name (ie a FQDN). We have yet to come across a recipient where if
they change it so that it sends 'EHLO [<local ip address>]' or 'EHLO
domain.com' it won't work, even though the first is useless and the
second is strictly incorrect.
AIUI, this is what is expected from RFC 5321, and it means that spammers
haven't put any effort into what EHLO parameter to send, because it
doesn't matter what you use if the recipient is standards compliant.
If this changed, (as was suggested) so that the EHLO checking was almost
universal, then it would break lots of legitimate senders as well as
spammers, but the spammers would be able to fix it a lot easier than
legitimate senders.
In which case, how did the EHLO test *really* help?
To stop the obvious spoofing attempts, which do occur at a very high
frequency. I am scratching my head as to why you would be questioning
it.
If you are doing this at the moment, you are breaking RFC 5321 which
explicitly says you MUST NOT block messages if the EHLO parameter
doesn't match the sender IP address.
--
Paul Smith
VPOP3 - POP3/SMTP/IMAP4/Webmail Email server for Windows