Petar Bogdanovic wrote:
On Tue, Apr 19, 2016 at 11:19:57AM +0200, Renaud Allard via mailop wrote:
On 04/19/2016 09:15 AM, Michelle Sullivan wrote:
As well... ;-) (and for those that don't get it... the host issued 'HELO
[65.55.234.213]' or 'EHLO [65.55.234.213]' .. perfectly legal but
something malware and bots do as well..
While HELOing like this that might be perfectly "legal", this is
something which is probably going to be blocked as well by many/most
servers.
I gave up on valid/consistent HELOs a long time ago.
Minor indication of spaminess? Yes. Reason for rejection? Nope. :)
Depends... I have a rather large database of spam and here's what I can
tell you from that database and my experience over the years:
Unqualified IP in HELO (ie missing the []) - no false positives.. all
100% spam or viruses.
Qualified IP in HELO minor indicator of spaminess if 'ESMTP' exists in
the server's banner (as likely the host just doesn't support outgoing
ESMTP or is sitting behind a PIX like device still!)
Qualified IP in EHLO reasonable indicator of spaminess if 'ESMTP' does
not exist in the server's banner. (yes this still works, anyone trying
to ESMTP to a host that doesn't support it is a reasonable bot/mass
mailer indicator...)
'localhost' in HELO/EHLO and not from yourself is a high indicator of
spaminess (few FPs, and usually "don't care" about who they are.)
Any other problems like HELO/EHLO not being FQDN, not matching the host,
not existing etc... I'll usually 4xx or ignore (e.g. ignore for not
matching, 421 for not existing... etc.)
Regards,
--
Michelle Sullivan
http://www.mhix.org/
_______________________________________________
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
