Re: HELO Testing

----- Original Message ----- 
From: "Seth Goodman" <sethg(_at_)GoodmanAssociates(_dot_)com>
To: <spf-discuss(_at_)v2(_dot_)listbox(_dot_)com>
Sent: Monday, March 15, 2004 12:55 PM
Subject: RE: [spf-discuss] HELO Testing


> Sorry, I got the context completely wrong.  If what is being proposed is
> to just check the HELO name against the SPF record for that name, if it
> exists, and fail only if there is a mismatch with the SPF record, I have
> no problem with that.  It will catch some obvious forgeries, at least in
> the short term.  As long as it doesn't fail for broken names like
> "localhost", then I guess there is no downside to it.
Seth,  in my opinion, LMAP solutions greatly benefits a system against local
domain spoofing with high trusted results.  You simply can't trust remote
lookup results except for rejections (and here its a problem for forwarding
situations).

But for HELO, at a minimum, your logic should only check HELO for local
domain spoofs if and only if the FROM is not already your local domain.  No
need to check for HELO if FROM and HELO are already the same domain.

The fact is, it is needed.

Just yesterday, I got the following 5 connections in less than 1 second,
each rejected within 80 milliseconds due to local domain HELO spoofing.
Notice the same Client IP address (CIP), and how same domain for the RCPT
for the HELO.  That tells you something about the spammer software on how
its configured.

20040315 10:52:28 -------------------------------------
20040315 10:52:28 version    : 1.55 / 1.54
20040315 10:52:28 calltype   : SMTP
20040315 10:52:28 state      : rcpt
20040315 10:52:28 cip        : 208.253.168.98
20040315 10:52:28 helo       : santronics.com
20040315 10:52:28 from       : <angry_garden_salad(_at_)sbcglobal(_dot_)net>
20040315 10:52:28 rcpt       : <sales(_at_)santronics(_dot_)com>
20040315 10:52:28 sapfilter  : reject (time:31)
20040315 10:52:28 smtp code  : 550
20040315 10:52:28 reason     : Rejected by WCSAP Filter
20040315 10:52:28 wcsap finish (63 msecs)
20040315 10:52:28 -------------------------------------
20040315 10:52:28 version    : 1.55 / 1.54
20040315 10:52:28 calltype   : SMTP
20040315 10:52:28 state      : rcpt
20040315 10:52:28 cip        : 208.253.168.98
20040315 10:52:28 helo       : santronics.com
20040315 10:52:28 from       : <chadosborne(_at_)hotmail(_dot_)com>
20040315 10:52:28 rcpt       : <announcements(_at_)santronics(_dot_)com>
20040315 10:52:28 sapfilter  : reject (time:31)
20040315 10:52:28 smtp code  : 550
20040315 10:52:28 reason     : Rejected by WCSAP Filter
20040315 10:52:28 wcsap finish (62 msecs)
20040315 10:53:05 -------------------------------------
20040315 10:53:05 version    : 1.55 / 1.54
20040315 10:53:05 calltype   : SMTP
20040315 10:53:05 state      : rcpt
20040315 10:53:05 cip        : 208.253.168.98
20040315 10:53:05 helo       : santronics.com
20040315 10:53:05 from       : <ob(_at_)home(_dot_)com>
20040315 10:53:05 rcpt       : <andrea(_dot_)santos(_at_)santronics(_dot_)com>
20040315 10:53:05 sapfilter  : reject (time:31)
20040315 10:53:05 smtp code  : 550
20040315 10:53:05 reason     : Rejected by WCSAP Filter
20040315 10:53:05 wcsap finish (78 msecs)
20040315 10:53:06 -------------------------------------
20040315 10:53:06 version    : 1.55 / 1.54
20040315 10:53:06 calltype   : SMTP
20040315 10:53:06 state      : rcpt
20040315 10:53:06 cip        : 208.253.168.98
20040315 10:53:06 helo       : santronics.com
20040315 10:53:06 from       : <filmworld20002000(_at_)yahoo(_dot_)com>
20040315 10:53:06 rcpt       : <support(_at_)santronics(_dot_)com>
20040315 10:53:06 sapfilter  : reject (time:16)
20040315 10:53:06 smtp code  : 550
20040315 10:53:06 reason     : Rejected by WCSAP Filter
20040315 10:53:06 wcsap finish (63 msecs)
20040315 10:53:06 -------------------------------------
20040315 10:53:06 version    : 1.55 / 1.54
20040315 10:53:06 calltype   : SMTP
20040315 10:53:06 state      : rcpt
20040315 10:53:06 cip        : 208.253.168.98
20040315 10:53:06 help       : winserver.com
20040315 10:53:06 from       : 
<john(_at_)wood628(_dot_)freeserve(_dot_)co(_dot_)uk>
20040315 10:53:06 rcpt       : <wclistserve(_at_)winserver(_dot_)com>
20040315 10:53:06 sapfilter  : reject (time:31)
20040315 10:53:06 smtp code  : 550
20040315 10:53:06 reason     : Rejected by WCSAP Filter
20040315 10:53:06 wcsap finish (62 msecs)

Note, the SPF test was not done because the first test was to check for
Local Domain HELO spoofing using a simple Accept/Reject rules that was put
in place BEFORE the modified SPF logic (The current production machine does
not have the new SPF logic yet)

  Reject if santronics.com in %CDN% and %CIP% != 208.247.131.9
  Reject if winserver.com in %CDN% and %CIP% != 208.247.131.9

So this produces the above result.  The current WCSAP system does the
following test in this specific order:

sapfilter - admin defined FILTER rules (White/Black List) checks
saprbl - RBL check (3 sites)
sapspf - SPF
sapcbv - CBV Callback verifier

However, that means that when release the product, we have to "document" to
people to add such sapfilter reject rules to cover local domain spoofs.

Instead, with the new SPF logic, it will be a normal part of the logic, as I
believe it should of been the first place.  So out of the box, the system
will work with no need to explain to customers "On how to protect against
local domain spoofs because SPF failed to due so."  That is no longer a true
situation or possibility with the new SPF lookup provisions.

Anyway,  IMO,  the bottom line, you need to cover this HELO check at the
very least for local domain spoofs.  To not cover it, well, to me, is
breaking a very fundamental aspect of what LMAP is all about - protecting
your domains.

-- 
Hector Santos, Santronics Software, Inc.
http://www.santronics.com