Possible aid in filtering spam
David Wolfskill
david at catwhisker.org
Mon Oct 31 12:57:26 PST 2005
On Mon, Oct 31, 2005 at 12:22:01PM -0800, Ulf Zimmermann wrote:
> ...
> I have started rejecting HELO using my IP a longer time ago. Then I went
> actually a step further and rejecting any HELO with an IP. Much spam software
> which are using comprised hosts, don't look up their hostname but just use
> the IP number.
That makes a certain amount of sense.....
> As I interpret the RFC 821, HELO is to follow by the hostname
> and a hostname is not an IP address.
Well, RFC 821 is venerable, but it was superceded by RFC 2821 April
2001.
And on that topic, RFC 2821, in section 4.1.1.1 Extended HELLO (EHLO)
or HELLO (HELO), has:
These commands are used to identify the SMTP client to the SMTP
server. The argument field contains the fully-qualified domain name
of the SMTP client if one is available. In situations in which the
SMTP client system does not have a meaningful domain name (e.g., when
its address is dynamically allocated and no reverse mapping record is
Klensin Standards Track [Page 29]
^L
RFC 2821 Simple Mail Transfer Protocol April 2001
available), the client SHOULD send an address literal (see section
4.1.3), optionally followed by information that will help to identify
the client system. y The SMTP server identifies itself to the SMTP
client in the connection greeting reply and in the response to this
command.
....
[The last-quoted sentence is not a transcription error on my part.]
And here's the part in section 4.1.3 Address Literals:
Sometimes a host is not known to the domain name system and
communication (and, in particular, communication to report and repair
the error) is blocked. To bypass this barrier a special literal form
of the address is allowed as an alternative to a domain name. For
IPv4 addresses, this form uses four small decimal integers separated
by dots and enclosed by brackets such as [123.255.37.2], which
indicates an (IPv4) Internet Address in sequence-of-octets form. For
....
Based on that, perhaps a plausible course of action would be (in response
to HELO or EHLO):
* See if SMTP client is claiming the server's identity. If so, reject.
* See if the identity claimed is an IPv4 dotted-quad. If so:
* See if there's a PTR record for the IP address. If so, reject.
[This is a bit enthusiastic, because we don't really know that
there's an A record that resolves to the IP address specified.]
A variant that is used for the (Postfix) MTA on mx1.freebsd.org is:
* Examine the IP address that the SMTP client is using.
* Use gethostbyaddr() to obtain the canonical hostname for the address.
* Use gethostbyname() to resolve the hostname to a set of IP addresses.
* If the IP address that the SMTP client is currently using is not
among the IP addresses obtained, reject the mail (unless it's
for postmaster or one of the other "special" recipients).
* Examine the identity claimed in the HELO/EHLO command.
* If it's a hostname, use gethostbyname() to resolve it to a set of
IP addresses.
* If the IP address that the SMTP client is currently using is not
among the IP addresses obtained, reject the mail (unless it's
for postmaster or one of the other "special" recipients).
* If it's an IP address, use gethostbyaddr() to obtain the canonical
hostname for the address.
* Use gethostbyname() to resolve the hostname to a set of IP addresses.
* If the IP address that the SMTP client is currently using is not
among the IP addresses obtained, reject the mail (unless it's
for postmaster or one of the other "special" recipients).
At least that's my recollection at the moment.
> Yesterday my mail server rejected 6205
> emails, 308 of those were based on HELO <IP>.
I'm not dealing with numbers quite that big -- ignoring the "did
not issue MAIL/EXPN/VRFY/ETRN during connection to MTA" (which
appears to be about 30% of the total for me), I usuaully have about
2K messages/day hit my SMTP server, and about 75% of those are
rejected and 15% are silently discarded. Since midnight, about 22% of
today's rejects have been for trying to claim my SMTP server's identity
during HELO.
[Maybe I should change the rejection message to read "I refuse to
talk to myself." :-) ]
(I try to merely discard unwanted mail that was already accepted by a
system that I consider "friendly" but for which I cannot cause the
unwanted mail to be rejected when it hits that SMTP server. Chief
among these for me in mx1.freebsd.org.)
Peace,
david
--
David H. Wolfskill david at catwhisker.org
Prediction is difficult, especially if it involves the future. -- Niels Bohr
See http://www.catwhisker.org/~david/publickey.gpg for public key.
More information about the Baylisa
mailing list