At 08:03 PM 12/12/2004 -0500, David <david(_at_)ols(_dot_)es> wrote:
we reject about one million emails per day, about 45% of the rejections
are based on helo checks and about 52% are based on a local blacklist
updated with the ip addresses of the helo rejections of the previous
day. For us helo checks are very useful, as most of them even do not
require any dns lookup. Most of them are from viruses and it's obvioulsy
that this kind of checks are by far less expensive than using antivirus
scanners. Looks like virus programmers have never read any RFC as they
try to construct valid helo's using just domain names (which is not
rfc compliant) when they could just use ip literals. HELO forgery is
something that happens now and could be used to easely detect forgeries,
tomorrow viruses will likely use ip literals for the helo and there will
be no way to check it.
******************* REPLY SEPARATER *******************
Your numbers differ significantly from ours. Our situation is somewhat
different than yours in that it is significantly lower volume, and the
numbers come from honey pots that are used to dynamically update a local BL
in real time. In other words, IP addresses and HELO/EHLO names are rarely
used more than once.
For Dec. 12, 2004 on one of our honey pots:
HELO - 63%
simple name - 1%
IP literal - 5%
FQDN - 42%
Domain Name - 52%
EHLO - 37%
simple name - 0%
IP literal - 0%
FQDN - 76%
Domain Name - 23%
Our dynamic BL averages about 1200 different IP addresses over an 18 hour
period. What we are seeing is a change in how the spam engines operate, as
the number of IP literals was much higher previously.
J.A. Coutts