Re: [mhvlug] Recognizing Junk Email (was: Signature Abuse)

Mon, 05 Nov 2007 08:11:08 -0800 

On Thu, 2007-11-01 at 18:25 -0400, Adam wrote:
> Chris Knadle wrote:
> >    One favorite are email connections that start off with a HELO/EHLO 
> > greeting 
> > that isn't a FQDN as is required by RFC 2821.  When I started rejecting 
> > these 
> > it cut out 33% of junk email, without having to do any expensive 
> > computation.
> 
> Chris, could you explain how to do this, or point me to someplace that 
> does?  Thanks!
> 
> Adam

In Postfix at least, you can do this with reject_non_fqdn_hostname in
the smtpd_helo_restrictions.  In addition we reject a ton of spam from
people who try to HELO/EHLO as our hostname or IP address.  in the same
smtpd_helo_restrictions section, we also have:
check_helo_access hash:/opt/pmx4/postfix/etc/helo_access

That file contains:

Our main mailserver IP addresses (including the IPs of our gateways), as
well as the DNS names for the same servers and just 'newpaltz.edu'.
Each line is as follows as an example:

192.168.1.102           REJECT You are not who you say you are
serverxyz.newpaltz.edu  REJECT You are not who you say you are

The full smtpd_helo_restrictions for us read:

smtpd_helo_restrictions = permit_mynetworks,
                check_helo_access hash:/opt/pmx4/postfix/etc/helo_access,
                reject_non_fqdn_hostname,
                permit

So that anything in our trusted system list is allowed (by IP address)
to 'break' these rules.  Anything else that fails the helo_access check
or has a non-fqdn hostname is rejected.

I know this is more than you asked but we reject about 400,000 messages
per month based on attempted spoofing of our hostnames/ip addresses in
the HELO/EHLO stage of the connection.




-- 
------------------------------------------
Paul Chauvet
UNIX/Linux Systems Administrator
State University of New York at New Paltz
845-257-3828
[EMAIL PROTECTED]
------------------------------------------

_______________________________________________
Mid-Hudson Valley Linux Users Group                  http://mhvlug.org          
   
http://mhvlug.org/cgi-bin/mailman/listinfo/mhvlug                           
Upcoming Meetings (6pm - 8pm)                         MHVLS Auditorium          
                              
  Oct 3 - Security and Privacy
  Nov 7 - Django Python Application Framework

Reply via email to