Possible aid in filtering spam

Mon Oct 31 13:13:26 PST 2005

On Mon, Oct 31, 2005 at 12:57:26PM -0800, David Wolfskill wrote:
> On Mon, Oct 31, 2005 at 12:22:01PM -0800, Ulf Zimmermann wrote:
> > ...
> 
> > I have started rejecting HELO using my IP a longer time ago. Then I went
> > actually a step further and rejecting any HELO with an IP. Much spam software
> > which are using comprised hosts, don't look up their hostname but just use
> > the IP number.
> 
> That makes a certain amount of sense.....
> 
> > As I interpret the RFC 821, HELO is to follow by the hostname
> > and a hostname is not an IP address.
> 
> Well, RFC 821 is venerable, but it was superceded by RFC 2821 April
> 2001.
> 
> And on that topic, RFC 2821, in section 4.1.1.1  Extended HELLO (EHLO)
> or HELLO (HELO), has:
> 
>    These commands are used to identify the SMTP client to the SMTP
>    server.  The argument field contains the fully-qualified domain name
>    of the SMTP client if one is available.  In situations in which the
>    SMTP client system does not have a meaningful domain name (e.g., when
>    its address is dynamically allocated and no reverse mapping record is
> 
> Klensin                     Standards Track                    [Page 29]
> ^L
> RFC 2821             Simple Mail Transfer Protocol            April 2001
> 
>    available), the client SHOULD send an address literal (see section
>    4.1.3), optionally followed by information that will help to identify
>    the client system.  y The SMTP server identifies itself to the SMTP
>    client in the connection greeting reply and in the response to this
>    command.
>    ....
> 
> [The last-quoted sentence is not a transcription error on my part.]
> 
> And here's the part in section 4.1.3 Address Literals:
> 
>    Sometimes a host is not known to the domain name system and
>    communication (and, in particular, communication to report and repair
>    the error) is blocked.  To bypass this barrier a special literal form
>    of the address is allowed as an alternative to a domain name.  For
>    IPv4 addresses, this form uses four small decimal integers separated
>    by dots and enclosed by brackets such as [123.255.37.2], which
>    indicates an (IPv4) Internet Address in sequence-of-octets form.  For 
>    ....
> 
> Based on that, perhaps a plausible course of action would be (in response
> to HELO or EHLO):
> 
> * See if SMTP client is claiming the server's identity.  If so, reject.
> 
> * See if the identity claimed is an IPv4 dotted-quad.  If so:
>   * See if there's a PTR record for the IP address.  If so, reject.
>     [This is a bit enthusiastic, because we don't really know that
>     there's an A record that resolves to the IP address specified.]
> 
> A variant that is used for the (Postfix) MTA on mx1.freebsd.org is:
> * Examine the IP address that the SMTP client is using.
>   * Use gethostbyaddr() to obtain the canonical hostname for the address.
>     * Use gethostbyname() to resolve the hostname to a set of IP addresses.
>       * If the IP address that the SMTP client is currently using is not
>          among the IP addresses obtained, reject the mail (unless it's
>          for postmaster or one of the other "special" recipients).
> 
> * Examine the identity claimed in the HELO/EHLO command.
>   * If it's a hostname, use gethostbyname() to resolve it to a set of
>     IP addresses.
>     * If the IP address that the SMTP client is currently using is not
>        among the IP addresses obtained, reject the mail (unless it's
>        for postmaster or one of the other "special" recipients).
>   * If it's an IP address, use gethostbyaddr() to obtain the canonical
>     hostname for the address.
>     * Use gethostbyname() to resolve the hostname to a set of IP addresses.
>       * If the IP address that the SMTP client is currently using is not
>          among the IP addresses obtained, reject the mail (unless it's
>          for postmaster or one of the other "special" recipients).
> 
> At least that's my recollection at the moment.
> 
> > Yesterday my mail server rejected 6205
> > emails, 308 of those were based on HELO <IP>.
> 
> I'm not dealing with numbers quite that big -- ignoring the "did
> not issue MAIL/EXPN/VRFY/ETRN during connection to MTA" (which
> appears to be about 30% of the total for me), I usuaully have about
> 2K messages/day hit my SMTP server, and about 75% of those are
> rejected and 15% are silently discarded.  Since midnight, about 22% of
> today's rejects have been for trying to claim my SMTP server's identity
> during HELO.
> 
> [Maybe I should change the rejection message to read "I refuse to
> talk to myself." :-) ]
> 
> (I try to merely discard unwanted mail that was already accepted by a
> system that I consider "friendly" but for which I cannot cause the
> unwanted mail to be rejected when it hits that SMTP server.  Chief
> among these for me in mx1.freebsd.org.)
> 
> Peace,
> david

You just refreshed my memory, I did this based on RFC2821, rejecting
things like:

HELO xxx.xxx.xxx.xxx (where xxx can be any IP)
HELO [yyy.yyy.yyy.yyy] (if yyyy is my IP)

-- 
Regards, Ulf.

---------------------------------------------------------------------
Ulf Zimmermann, 1525 Pacific Ave., Alameda, CA-94501, #: 510-865-0204
You can find my resume at: http://seven.Alameda.net/~ulf/resume.html