From: David Wolfskill (dhwmail-abuse.org)
Date: Tue Jun 06 2006 - 12:20:28 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, Jun 06, 2006 at 02:01:36AM +0200, Erwan David wrote:
>...

>Very effective is a restriction on helo <your ip address> or helo <your
>domain>, the latter being more dangerous to filter since some clients use the
>right part of the sender address for helo.

In certain cases, I find that the following variations on that theme may
also be useful:

* Rejecting HELO/EHLO argument that is merely an un-dotted string
  of digits -- e.g.:
  EHLO 2570388
  HELO 36427240

* Rejecting un-bracketed dotted quads as HELO/EHLO arguments -- e.g.:
  HELO 217.8.236.1
  EHLO 222.255.193.133

(RFC 2821 clearly states:

   - The domain name given in the EHLO command MUST BE either a primary
      host name (a domain name that resolves to an A RR) or, if the host
      has no name, an address literal as described in section 4.1.1.1.

And the format for an "address literal":

   .... For
   IPv4 addresses, this form uses four small decimal integers separated
   by dots and enclosed by brackets such as [123.255.37.2], which
   indicates an (IPv4) Internet Address in sequence-of-octets form.

)

Caveat Lector -- Where I have the authority to do so, I also choose
to reject HELO/EHLO where the SMTP client "claims to be my server."
I am given to understand that there are some MUAs that do this
deliberately; I decline to spend much of my resources dealing with such
obviously broken-by-design software.

Peace,
david (not writing on behalf of anyone else, including any employers)
--
David Wolfskill Trend Micro San Jose dhwmail-abuse.org
cell: (650) 400-2312 office: (408) 625-1076 or (408) 453-6277 x124

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (FreeBSD)

iEYEARECAAYFAkSFuVsACgkQ8BAuT70V4AJh7wCfa+hh00PRPV9Toag/kyqV2s/u
UQMAnjAif+XTGmo3ZDvqFtI4lS/MaUNB
=aBMW
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]