[Top] [All Lists]

Re: [ietf-smtp] SMTP server "RFC2821 Violation" for EHLO ip-literal.

2019-12-16 17:03:03
On 12/16/19 5:41 PM, Michael Peddemors wrote:

Interesting, especially given the large 'botnet' contingent that still uses IP Address literals, eg the one currently going around (13k+ IP(s) reported over night) that send using []  in the EHLO, typically used during dictionary/weak pass discovery..

But that's a very interesting special case.   If you're operating an MTA on a server and you know for a fact that nothing on that server send SMTPs traffic to localhost, you can safely reject every session using HELO or EHLO [].   Anything that presents that address in HELO/EHLO is lying about its address, and that's a perfectly valid reason to reject that session.

But if any significant fraction of EHLO [some-ip-address] is valid mail, use of an IP address literal in EHLO is NOT, by itself, a valid reason to reject the mail.   And if you uniformly reject traffic that starts with EHLO [some-ip-address] you have no idea how much valid mail is being rejected, because you never even see that mail.

Also, these things change over time.   Just because there was once some bot that was sending out IP addresses in EHLO, doesn't mean it's a valid filtering criterion today.


ietf-smtp mailing list

<Prev in Thread] Current Thread [Next in Thread>