On Tue, 18 Mar 2003 11:33 pm, Devin Carraway wrote: > On Thu, Mar 13, 2003 at 02:08:31AM -0800, Ask Bjoern Hansen wrote: > > I'd like to hear how it works over a few weeks or so. I fear that > > some "real" SMTP clients send the HELO as soon as they are > > connected. > > Sure, I'll continue to keep an eye on the logs. Any MTA/MUA that would > dequeue mail without seeing a 200-ok is hopeless, but there might be > embedded MUAs foolishly trying it as an optimization. > > So far all I'm seeing a lot of spammers using open HTTP proxies, which I > have to grant is fairly clever. To catch this sort of thing is going to > require a generalized command hook, though that'd ultimately be the ideal > thing to have to catch overeager pipelining also. > > check_earlytalker plugin: host spontaneously said: [POST / HTTP/1.0] > check_earlytalker plugin: host spontaneously said: [Content-type: > application/x-www-form-urlencoded] check_earlytalker plugin: host > spontaneously said: [Content-length: 1028] check_earlytalker plugin: host > spontaneously said: [Client-ip: 157.156.1.136] check_earlytalker plugin: > host spontaneously said: [Connection: keep-alive] check_earlytalker plugin: > host spontaneously said: [Via: HTTP/1.0 Cluster_fcache[C0A8011C] > (Traffic-Server/4.0.18 [uScM])] check_earlytalker plugin: host > spontaneously said: [Host: 66.92.186.143:25] check_earlytalker plugin: host > spontaneously said: [] > check_earlytalker plugin: host spontaneously said: [HELO cmviyay] > check_earlytalker plugin: host spontaneously said: [MAIL FROM: > <[EMAIL PROTECTED]>] check_earlytalker plugin: host spontaneously > said: [RCPT TO: <[EMAIL PROTECTED]>]
Another possible way to deal with this is the way that MessageWall catches these ones (http://www.messagewall.org/features.html#errors). Namely, to disconnect any client that issues a threshold level of invalid commands. It should not be hard to put in a 'invalid command' hook, and write a plugin based on that. In fact, we don't even have to have a threshold, we just look for an invalid command containing 'HTTP'. I will look into it over the next few days if no-one beats me to it. Rasjid. PS. I think MessageWall is a good potential source of ideas, although qpsmtpd does most of what MessageWall does.
