[Raw Msg Headers][Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: EHLO question

To: Grace He <ghe@scs.ryerson.ca>
Subject: Re: EHLO question
From: Matti Aarnio <mea@nic.funet.fi>
Date: Tue, 2 Dec 2003 00:24:28 +0200
Cc: zmailer@nic.funet.fi
In-Reply-To: <20031201192453.GA17736@scs.ryerson.ca>; from ghe@scs.ryerson.ca on Mon, Dec 01, 2003 at 02:24:54PM -0500
Original-Recipient: rfc822;zmailer-log@nic.funet.fi
References: <20031201192453.GA17736@scs.ryerson.ca>
Sender: zmailer-owner@nic.funet.fi

On Mon, Dec 01, 2003 at 02:24:54PM -0500, Grace He wrote:
> I have notice a increased behavior of incoming connection to our mail
> server.  They appear to use wrong domain name / IP for the EHLO line.
> In the log I see the email server seems to know that it expected
> something different, but it allows the connection and excepts the
> email.
> 
> for example,
> 
> $ telnet smtp 25
> EHLO foobar.msn.ca
> 250-mail.scs.ryerson.ca expected "EHLO seraphina.scs.ryerson.ca"
> 
> mail then will go through.  How do you configure the mail server to
> reject connection when EHLO is wrong?

The  smtpserver  has 'h'  option that barfs for syntactically invalid
HELO parameter, but it doesn't verify semantic bugs.

That particular detail has been unchanged for quite a while.
The core part of semantic analysis is in file   smtpserver/smtpcmds.c
around lines 290-310.

There are no runtime options to go with it to turn detected
discrepancy to a rejection.    Ages ago I did consider doing
just that, but way too many PCs gave bad hostnames even back
then.  And it isn't reliable anti-spam measure, as large part
of spammers are able to report correct IP reversals.

However for a number of spammers/viruses that use IP address
(not bracketed properly as IP literal) as HELO argument, I
have used rejection patterns in   smtpserver.conf   -- the
gist there is, that the IP address they use is server's 
address...  (e.g. server's address is   1.2.3.4  and the
incoming  EHLO parameter is "1.2.3.4"; without quotes, though.)

From one work site:
  62.240.72.41     999 !Only SPAMMERS use 'HELO <peer-ip-address>'

Blocking the peers presenting discrepant HELO parameter would
cut down tons of viruses, and spams, tough..

Blocking sites without working IP reversers has part of that
ability, too..  (reminds me about the need to get reversers
working for  zmailer.org   machine.)

Any thoughs about how you would like to use the control feature ?
What kind of controls for the feature you would like to have ?
Just one hardcoded behaviour, or more fine-grained thing ?

> I am running zmailer 2.99.55 with solaris 8.
> Thanks,
> grace
> -----------------------------------------------
> Grace He - Sysadmin
> Ryerson University - School of Computer Science	
-- 
/Matti Aarnio	<mea@nic.funet.fi>
-
To unsubscribe from this list: send the line "unsubscribe zmailer" in
the body of a message to majordomo@nic.funet.fi

Follow-Ups:
- Re: EHLO question
  - From: Matti Aarnio <mea@nic.funet.fi> (Tue, 2 Dec 2003 18:08:59 +0200)

References:
- EHLO question
  - From: Grace He <ghe@scs.ryerson.ca>

Prev by Date: EHLO question
Next by Date: Re: EHLO question
Prev by thread: EHLO question
Next by thread: Re: EHLO question
Index(es):
- Date
- Thread