Hector Santos wrote: > Paul, > > I'm surprise you are suggesting these spoof attempts doesn't exist in > the real world because of the simplicity or dubious nature. The fact > is, the frequency of HELO/EHLO spoofing of all sorts is very high. I'm not convinced that, at the moment, you can call it 'spoofing'. It is currently extremely rare to block a message based on a bad EHLO parameter (because RFC 2821, 5321 prohibit that), so spammers really don't care. If lots of recipients started blocking messages based on that, it'd take all of a couple of hours for the spammers to work around it.
In our experience of supporting small businesses' mail servers it is actually very rare to check the EHLO parameter at all. We have customers who have their server set to send 'EHLO server' for many years, and then suddenly come across a recipient which requires a syntactically correct host name (ie a FQDN). We have yet to come across a recipient where if they change it so that it sends 'EHLO [<local ip address>]' or 'EHLO domain.com' it won't work, even though the first is useless and the second is strictly incorrect. AIUI, this is what is expected from RFC 5321, and it means that spammers haven't put any effort into what EHLO parameter to send, because it doesn't matter what you use if the recipient is standards compliant. If this changed, (as was suggested) so that the EHLO checking was almost universal, then it would break lots of legitimate senders as well as spammers, but the spammers would be able to fix it a lot easier than legitimate senders. >> In which case, how did the EHLO test *really* help? > > To stop the obvious spoofing attempts, which do occur at a very high > frequency. I am scratching my head as to why you would be questioning > it. If you are doing this at the moment, you are breaking RFC 5321 which explicitly says you MUST NOT block messages if the EHLO parameter doesn't match the sender IP address. -- Paul Smith VPOP3 - POP3/SMTP/IMAP4/Webmail Email server for Windows
