Re: EHLO/HELO [was blacklists]

To: debian-isp@lists.debian.org
Cc: Bill Taroli <bill.taroli@billsden.org>
Subject: Re: EHLO/HELO [was blacklists]
From: Mark Bucciarelli <mark@easymailings.com>
Date: Fri, 10 Dec 2004 09:36:10 -0500
Message-id: <[🔎] 200412100936.10504.mark@easymailings.com>
In-reply-to: <[🔎] 200412102308.56867.russell@coker.com.au>
References: <[🔎] 415112373.20041205105403@onee.sk> <[🔎] 200412090839.12251.mark@easymailings.com> <[🔎] 200412102308.56867.russell@coker.com.au>

[CC'ing Bill Taroli who has been helping me with this on courier-user]

On Friday 10 December 2004 07:08, Russell Coker wrote:
> On Friday 10 December 2004 00:39, Mark Bucciarelli
> <mark@easymailings.com>
>
> wrote:
> > I've recently turned on EHLO/HELO validation and am encouraged by how
> > effective it is.  WIth RBL's (spamcop and dnsbl) and SpamAssassin 3,
> > only 88% of spam was stopped.  So far, it's 100%.  (This is a _very_
> > small
>
> What exactly do you mean by EHLO/HELO validation?

The courier man page just says "verify the hostname provided in the ESTMP 
EHLO/HELO statement."

From reading the code, here's what it does:

(0) If connecting IP addresses is in the checkhelo whitelist
 --> PASS

(1) If SPF HELO checking is on and lookup matches connecting IP
 --> PASS

(2) If HELO host name is a numeric IP and it matches connecting IP
 --> PASS

(3) Lookup MX records for HELO hostname.  If one matches connecting IP
 --> PASS

(4) Lookup A records for hostname.  If one matches connecting IP
 --> PASS

Otherwise, return 517 HELO $hostname does not match $remote-ip

If there is an RFC1035_MX_HARDERR or RFC1035_MX_BADDNS when looking up the 
MX record, return a 517.

If the MX or A DNS lookup fails, return a 417.

> In my postfix configuration I have:
> smtpd_helo_restrictions = permit_mynetworks, 
> reject_non_fqdn_hostname, reject_unknown_sender_domain
>
> I tried out "reject_unknown_hostname" but had to turn it off, too many
> machines had unknown hostnames.

I find it interesting that postfix defaults the response code to 450 
instead of a 5XX for this failure.  This is along the lines that I have 
been thinking.

> For example a zone foo.com has a SMTP server named postfix1 and puts
> postfix1.foo.com in the EHLO command but has an external DNS entry of
> smtp.foo.com.  Such a zone is moderately well configured and there are
> too many such zones to block them all.  The other helo restrictions get
> enough non-spam traffic.
>
> Using reject_unknown_hostname would get close to blocking 100% of spam,
> but that's because it would block huge amounts of non-spam email.

So I guess the questions are:

(1) Given a log entry (hostname and connecting IP) of an EHLO reject, can I 
reliably figure out if the host was valid?

(2) Can I do this quickly enough that my whitelist will be updated before 
their MTA stops retrying and customers start complaining?

(3) Will the whitelist stabilize enough over time to make this worth it.

(4) Would it be possible to build a secure data pool where a group of 
like-minded and trusted admins could share whitelisted connecting IP's.

Regards,

Mark

Reply to:

Follow-Ups:
- Re: EHLO/HELO [was blacklists]
  - From: Mark Bucciarelli <mark@easymailings.com>

References:
- blacklists
  - From: Marek Podmaka <marki@onee.sk>
- EHLO/HELO [was blacklists]
  - From: Mark Bucciarelli <mark@easymailings.com>
- Re: EHLO/HELO [was blacklists]
  - From: Russell Coker <russell@coker.com.au>

Prev by Date: Re: EHLO/HELO [was blacklists]
Next by Date: Re: EHLO/HELO [was blacklists]
Previous by thread: Re: EHLO/HELO [was blacklists]
Next by thread: Re: EHLO/HELO [was blacklists]
Index(es):
- Date
- Thread