PHWinfo - Afficher un message

12/03/2008, 21h37

"Robert Bonomi" <bonomi@host122.r-bonomi.com> wrote in message
news:13tg4kq4kaic6d0@corp.supernews.com...
> In article
<3760ae82-7ee8-42d4-ba59-9a5f2fa53d85@m44g2000hsc.googlegroups.com>,
> forrie@gmail.com <forrie@gmail.com> wrote:
> >Some BOTNETs connect with seemingly randomized HELO addresses. I
> >wonder if there's a means by which to deal with this (perhaps via a
> >Milter).
>
> milters can do _anything_. <grin>
>
> The only question is how much time you want to spend developing it.
>
> Machines _should_ HELO with a FQDN for that machine. and it "should" match
> the rDNS for the connecting address`

However, note that a multi-homed mail server is still supposed to use its
preferred name on the HELO (EHLO) command and that name may differ from the
name assigned to the interface it is using. The RFCs forbid checking the
HELO name and rejecting it based on any reason other than a syntax error.

I personally believe that there is one case that the RFCs don't address
where it is acceptable to reject: If the HELO name is (one of) your own
server's names and it is not from your own server, then one may reject that
as a forgery.

> Insisting on an rDNS match will drop significant amounts of 'legitimate'
mail.

See above for why.

> Doing some basic 'sanity checks' on the HELO string -- e.g. rejecting any
> outside machine that HELOs as _your_ network, disallowing anything that
> starts with an '-', is all-numeric, looks like a dotted quad {with or
without
> surrounding brackets}, an unqualified 'localhost' or
'localhost@localdomain',
> requiring at least 1 dot in the string, and that there be a valid TLD
_after_
> the last dot -- =will= trap a lot of bad stuff, with only a _very_rare_
impact
> on legitimate mail.

Why should a "dotted-quad inside brackets" be rejected? That's what the
RFCs say is supposed to be issued if no hosthame is assigned. A dotted-quad
not enclosed by brackets is a syntax error and should be rejected.
"Localhost" by itself is also permitted, but only if it's truly one's self.

12/03/2008, 21h37	#3
D. Stussy Messages: n/a Hébergeur:	Re: Trapping HELO randomization "Robert Bonomi" <bonomi@host122.r-bonomi.com> wrote in message news:13tg4kq4kaic6d0@corp.supernews.com... > In article <3760ae82-7ee8-42d4-ba59-9a5f2fa53d85@m44g2000hsc.googlegroups.com>, > forrie@gmail.com <forrie@gmail.com> wrote: > >Some BOTNETs connect with seemingly randomized HELO addresses. I > >wonder if there's a means by which to deal with this (perhaps via a > >Milter). > > milters can do _anything_. <grin> > > The only question is how much time you want to spend developing it. > > Machines _should_ HELO with a FQDN for that machine. and it "should" match > the rDNS for the connecting address` However, note that a multi-homed mail server is still supposed to use its preferred name on the HELO (EHLO) command and that name may differ from the name assigned to the interface it is using. The RFCs forbid checking the HELO name and rejecting it based on any reason other than a syntax error. I personally believe that there is one case that the RFCs don't address where it is acceptable to reject: If the HELO name is (one of) your own server's names and it is not from your own server, then one may reject that as a forgery. > Insisting on an rDNS match will drop significant amounts of 'legitimate' mail. See above for why. > Doing some basic 'sanity checks' on the HELO string -- e.g. rejecting any > outside machine that HELOs as _your_ network, disallowing anything that > starts with an '-', is all-numeric, looks like a dotted quad {with or without > surrounding brackets}, an unqualified 'localhost' or 'localhost@localdomain', > requiring at least 1 dot in the string, and that there be a valid TLD _after_ > the last dot -- =will= trap a lot of bad stuff, with only a _very_rare_ impact > on legitimate mail. Why should a "dotted-quad inside brackets" be rejected? That's what the RFCs say is supposed to be issued if no hosthame is assigned. A dotted-quad not enclosed by brackets is a syntax error and should be rejected. "Localhost" by itself is also permitted, but only if it's truly one's self.