Kjetil Torgrim Homme wrote:
On Thu, 2006-01-19 at 08:04 +0800, Bill Hacker wrote:
Andrew - Supernews wrote:
It is a _NORMAL_ case for the HELO domain to be different to the domain
"Not uncommon", yes, Dunno if 'Normal' fits so well w/r MTA's.
very few properly set up servers will have the domain name as their
hostname.
There is often a prefix (or several) but it is there... we haven't seen
a lot of raw IP's lately.
can you imagine yahoo.com being an actual host handling
e-mail? that would have to be a serious piece of hardware :-)
Dispersed clusters, actually. As most large ISP's are.
Yahoo passes the test:
2005-12-03 01:34:47 1EiMHV-0007FN-F8 <= [EMAIL PROTECTED]
H=web15008.mail.cnb.yahoo.com [202.165.103.65]:22861
I=[203.194.153.81]:25 P=smtp S=19983
[EMAIL PROTECTED]
So does aol:
2006-01-15 20:22:02 1EyENs-000KND-IC <= [EMAIL PROTECTED]
H=imo-m20.mx.aol.com [64.12.137.1]:38788 I=[203.194.153.81]:25 P=esmtp
S=3183 [EMAIL PROTECTED]
And gmail:
2006-01-17 08:57:23 1EymeQ-0001ag-LQ <= [EMAIL PROTECTED]
H=uproxy.gmail.com [66.249.92.193]:39470 I=[203.194.153.81]:25 P=esmtp
S=6286 [EMAIL PROTECTED]
And hotmail:
2006-01-18 13:54:52 1EzDlk-0008dL-Is <= [EMAIL PROTECTED]
H=bay111-f29.bay111.hotmail.com (hotmail.com) [64.4.17.39]:65444
I=[203.194.153.81]:25 P=esmtp S=574274
[EMAIL PROTECTED]
Note <domain>.<tld> in the helo, the sender's address, and even the
messageID in most.
I don't care about the prefixes, or *which* of their many MTA is active,
so long as it is (one of) theirs.
Rejectlog also shows hundreds of forged attempts masquerading as yahoo,
msn, aol, etc. that were rejected as NOT theirs for each bona-fide message.
FWIW MSN/hotmail (mixed), ATTGlobal/prsrv/netvigator (mixed), and the
exim mailing list server at Cambridge (other priorities?) all
consistently fail this small test, but seldom set a foot wrong
otherwise, hence go on to completion.
Most of the truants abandoned the connection in the first 30-45 seconds
of their *first* jail term, 'didn't last a minute' IOW.
Well-behaved MTA are more patient than the average spam engine.
we only advertise pipelining to hosts where HELO matches the reverse
DNS:
pipelining_advertise_hosts = ${if eq {$sender_host_name}{$sender_helo_name}\
{*}{}}
We don't necessarily advertise pipelining *at all*.
Nor would we miss it anymore than the 'big guns' above, who, save for
one errant box, one instance, 'downshift' when it is not available.
Their frantic imposters usually fail that test also.
(I'm afraid there's a one in three chance this will happen to your
server, since Exim will just pick the first PTR returned.)
True, (not that it would be noticed) but this isn't about matching helo
to the PTR.
It's about matching the 'helo' to the domain in the sender's address.
we also incur a small delay (10s) for "suspicious" behaviour, and this
does indeed cause many callers to be booted due to non-conforming SMTP
implementations. if they do behave, we don't penalise them further with
SA score or such.
Try the number of 'rudeness' points times (n)1 seconds at stage one,
(n)(n) seconds at stage (n)..... ;-)
*NO* incoming avoids SA & ClamAV here, but not all get that far.
of course we don't try to infer any connection between HELO and MAIL
FROM.
Different strokes.....
Bill
--
## List details at http://www.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://www.exim.org/eximwiki/
