Dave Doherty wrote:
Maybe it's just me but ALL the IP's that use different HELO's are
spam or zombies.
Right. You and all the other admins who don't understand the RFCs,
which is the major problem here.
IMail and some other RFC-compliant servers greet the receiving server
with a HELO or EHLO string that describes the sending domain, not the
FQDN of the server.
I host about 500 domains on my IMail server. Theoretically, you could
log 500 HELO/EHLO domains on the IP of the server.
So help me out here.
Where did you learn that "ALL the IP's that use different HELO's are
spam or zombies." Is this from personal experience, or from a blog or
a security consultant, or what?
My MTA reports the full qualified domain name of the MTA machine.
That's they way I read the RFC (per 4.1.1.1)
4.1.1.1 Extended HELLO (EHLO) or HELLO (HELO)
These commands are used to identify the SMTP client to the SMTP
server. The argument field contains the fully-qualified domain name
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
of the SMTP client if one is available. In situations in which the
SMTP client system does not have a meaningful domain name (e.g., when
its address is dynamically allocated and no reverse mapping record is
available), the client SHOULD send an address literal (see section
4.1.3), optionally followed by information that will help to identify
the client system. The SMTP server identifies itself to the SMTP
client in the connection greeting reply and in the response to this
command.
Where did I learn it? I tested a policy server (I use a postfix
front-end) and 100% of these were spam and zombies. I tagged them and
inspected them for 1 month, not a single valid email.
john
To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html
List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
