On 12/16/19 5:41 PM, Michael Peddemors wrote:
Interesting, especially given the large 'botnet' contingent that still
uses IP Address literals, eg the one currently going around (13k+
IP(s) reported over night) that send using [127.0.0.1] in the EHLO,
typically used during dictionary/weak pass discovery..
But that's a very interesting special case. If you're operating an MTA
on a server and you know for a fact that nothing on that server send
SMTPs traffic to localhost, you can safely reject every session using
HELO or EHLO [127.0.0.1]. Anything that presents that address in
HELO/EHLO is lying about its address, and that's a perfectly valid
reason to reject that session.
But if any significant fraction of EHLO [some-ip-address] is valid mail,
use of an IP address literal in EHLO is NOT, by itself, a valid reason
to reject the mail. And if you uniformly reject traffic that starts
with EHLO [some-ip-address] you have no idea how much valid mail is
being rejected, because you never even see that mail.
Also, these things change over time. Just because there was once some
bot that was sending out IP addresses in EHLO, doesn't mean it's a valid
filtering criterion today.
ietf-smtp mailing list