[Mimedefang] Revisit: Filtering on HELO

Philip Prindeville philipp_subx at redfish-solutions.com
Sun Mar 25 22:22:17 EST 2007


Jeff Rife wrote:
> On 25 Mar 2007 at 20:05, Philip Prindeville wrote:
>
>   
>> Ok, putting this issue to bed for good.  Quoting RFC-1123:
>>     
>
> Well, not really, but we figured out which RFC you meant.
>   

It really, really was RFC-1123.  Trust me.


>>       5.2.5  HELO Command: RFC-821 Section 3.5
>>
>>          The HELO receiver MAY verify that the HELO parameter really
>>          corresponds to the IP address of the sender.  However, the
>>          receiver MUST NOT refuse to accept a message, even if the
>>          sender's HELO command fails verification.
>>
>> Hmm.  Or not.  Ok, that was less conclusive than it should have
>> been...  Well, the operative sentence is "The HELO receiver MAY
>> verify that the HELO parameter really corresponds to the IP address
>> of the sender."
>>
>> How else to do that in the case of an address-literal than checking
>> that the EHLO argument matches the address reported by getsockname()???
>>     
>
> You can spend as many cycles as you want "verifying" this sort of 
> thing, but since you can't refuse the message based on the fact that 
> the HELO doesn't "match" the source IP ("MUST NOT refuse", in the very 
> text you quoted), it really doesn't matter, does it?
>   

RFC-1123 was published in October 1989.

That's fully 2 years before I saw my first Spam.

Since then, I think that users have more compelling reasons
to be less "liberal in what they accept", to quote Jon Postel.

You can diverge from what the RFC's mandate, but beware
if you're going off the reservation...


> And, since you can stop so much without ever violating the RFC on HELO, 
> why even bother?  Tossing out non-FQDN, IP addresses (not address-
> literals, but bare IPs), and hostnames/address literals that resolve to 
> non-routable IPs would leave you with almost nothing left that wouldn't 
> "verify".
>   

Huh?  You've just said that you can't toss out anything
that comes from the HELO command, if you're arguing for
strict compliance with RFC-1123, section 5.2.5.


> I don't even bother with the full check for resolving to non-routable 
> IPs (I don't do any DNS checks, so I only toss obvious ones) and still 
> see HELO checking stopping about half the potential spam, with 
> greylisting stopping the other half.  Only about 2-5% of what was 
> obviously spam makes it through to SpamAssassin.
>   

Again, I'm not understanding what you're saying.  The one
test that RFC-1123 sanctions is ensuring that the name
is an FQDN that's resolvable...  You're saying you don't
make this test?

-Philip





More information about the MIMEDefang mailing list