On Wed, 15 Sep 2004, Paul Bissex wrote:
On Wed, 15 Sep 2004 07:39:31 +0200, Marc Kool
<m(_dot_)kool(_at_)vioro(_dot_)nl> wrote:
I agree that HELO checking can be very useful.
The problem with this and other useful proposals is the fact
that many of today's legitimate mail servers do not comply.
FWIW, on my mail server I work around this by only checking HELOs that
*look* like they're supposed to be valid. So "bogus-server.biz"
triggers a reject but "BOBSCOMPUTER" (a HELO you might get from MS
Outlook) does not.
I use HELO checking as part of a "three strikes and yer out" policy.
All senders must have at least one of the following:
1) valid PTR record for connect
2) valid HELO name
3) valid SPF record that passes: the default "guessed" record suffices
Believe it or not, more than half the connect attempts have no
ID whatsoever, and look like this in my log:
2004Sep15 10:49:53 [56556] connect from [209.79.227.62] at ('209.79.227.62',
63954) EXTERNAL
2004Sep15 10:49:53 [56556] hello from HOST.com
2004Sep15 10:49:54 [56556] mail from <lp(_at_)arosii(_dot_)com> ()
2004Sep15 10:49:54 [56556] REJECT: no PTR, HELO or SPF
550-5.7.1 You must have a reverse lookup or publish SPF: http://spf.pobox.com
550-5.7.1 Contact your mail administrator IMMEDIATELY! Your mail server is
550-5.7.1 serverely misconfigured. It has no PTR record, an invalid HELO, and
550 5.7.1 no SPF record.
I have yet to see a legitimate email that came from a dynamic IP PTR record
(like ppp8-124.dsl-mum.eth.net), so I may start to treat those like having no
PTR record. I think I saw a pattern posted a while back that matches these.
--
Stuart D. Gathman <stuart(_at_)bmsi(_dot_)com>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flamis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.