On 19/04/2006 9:29 p.m., Tomi Hakala wrote:
Simon Waters wrote:
Would love to see so serious analysis of "HELO" based blocking. Whilst I tend to think it is a bad idea, if there are criteria I can exploit in identifying things that aren't genuine mail servers -- it fits the strategy.
Some very broken spam tool sends IP address of an MX host it is speaking to in HELO response, this should never happen with real mail hosts so it is safe to block all such connections. This blocks high amount of spam for us.
Ditto with 'localhost', '127.0.0.1' and your host's own hostname, and apart from what you get from any of your secondary MX's if you have them - their hostname too. Although there's the rule that you should be liberal in what you accept and I believe HELO is something that you're supposed to accept regardless of what the remote end claims, I've never found legitimate hosts using any of these arguments to HELO.
If you're slightly more brave then also add non-FQDN and anything which starts with a '-' such as -1269643152' which I get lots of to invalid addresses. I'm yet to see a false positive from setting all of these in a year or so since I implemented them, but then my system probably isn't as critical as some others...so I can afford to be more brave.
I'd say with a lot of confidence that I've had more false positives from dynamic blocklists tagging email than HELO checking (perhaps not surprising).
reuben