Alessandro Vesely wrote: > > Paul Smith wrote: >> A bot could use: >> EHLO fhbdfhbeng.spammer.com >> >> where fhbdfhbeng.spammer.com resolves to the IP address of the bot. The >> spammer can trivially set up a virtual DNS zone with all valid IP >> addresses in it, and the bot just chooses the appropriate one. > > Uh, I may be dumb but I finally got it... > > I guess that by "virtual DNS zone" you mean something where "fhbdfhbe" > is the hex IP address of the bot (possibly obtained via traceroute > from behind a NAT) and "ng" the bot version or whatever additional > info is necessary for virtualizing the zone. Well, "fhbdfhbeng" was actually an impression of my cat walking on the keyboard (rather than with any deeper significance), but apart from that, yes. The actual IP -> host name encoding could be anything (making it harder to spot this trick automatically). >> Exactly, so how does having a 'correct' EHLO parameter help? >> >> I can see that having an incorrect one can be used to block mail, IF >> (and this is a big 'if') you can be sure that legitimate senders set up >> things correctly. However, if this becomes a standard check, then it is >> trivial for a spammer to get around it. And, all that has achieved is >> another useless check, which makes life harder for the good guys. > > Hm... it is useless to install an armored door in a shutterless house, > and it is also useless to install security shutters since the door > cannot be locked. Does that analogy fit the status quo? Sort of, but any EHLO validation is really more like a door with 32 locks, all of whose keys are hanging from a string by the door. It's a pain for the legitimate person to get in, and a determined burglar could get in without that much difficulty as well.
Having a normal door, and having basic locks on the windows would be a better start than having a complex armoured door and leaving the windows open. > > IMHO, if we start designing an armored door, perhaps by the time it > will be installed those shutters will be underway. I still like VHLO. > Not sure what VHLO is, I tried googling for it, and came up with 'Video Heat Online', which might well be very likeable, but I'm not sure it's what you meant... Assuming it's some form of a (decently) 'verifiable helo' then, yes, that would be better, but you have the backwards compatibility issue, where bad people just won't use it and will pretend they're using an SMTP sender from the 1980's. I actually don't have an issue with breaking backwards compatibility, as long as we get something worthwhile from it. I just don't think checking EHLO parameters is a good enough reason. (I actually think IPv6 mail would be a natural point to break backwards compatibility and solve a lot of the problems with SMTP, but we've had that argument on this list before and got nowhere..) -- Paul Smith VPOP3 - POP3/SMTP/IMAP4/Webmail Email server for Windows
