Hi,
On Tue, 30 Mar 2004 [EMAIL PROTECTED] wrote:
> > Note the 'HELO' name the virus used ("from pacbell.net"). The 'HELO'
> > name == recipient's domain name which is common virus behaivor.
> >
> > A large amount of viri and moderate amount of spam can be stopped cold
> > if you configure your MTA to reject messages that use your own
> > DNS-name/IP-address in their 'HELO'. (IE anybody else who claims to be
> > "me" is an imposterer who's up to no good ;).
>
> I would *love* to implement that. Can you suggest how to accomplish
> this with Postfix?
Here are four that I use in /etc/postfix/helo_access.pcre:
# Generic bad
/^(austinimprov|cynistar)\.(com|net|org)$/ 550 5.7.1 Do not masquerade as
local server. Begone.
/66\.143\.181\.([8-9]|1[0-5])/ 550 5.7.1 Do not masquerade as
local server. Begone.
/^localhost\.?/ 450 Fix your HELO to show a real hostname and try again
/^\d+\.\d+\.\d+\.\d+$/ 450 Fix your HELO to show a real hostname and try again
All of my hosts HELO as an actual resolvable host name, not as a bare
domain name so anything matching /^mydomains\.(com|net|org)$/ is crap.
This goes doubly for anything that HELOs with a bare IP address in my
netblock. Anything that HELOs with a bare IP address gets a temporary
error until I notice, run some checks, and manually white- or blacklist
it. Anyone with a mailserver so broken as to HELO as localhost is
tempfailed as well.
In main.cf I use:
smtpd_helo_restrictions = permit_mynetworks,
check_helo_access pcre:/etc/postfix/helo_access.pcre,
reject_invalid_hostname,
reject_non_fqdn_hostname,
reject_unknown_hostname
All manual whitelist and blacklist entries go into
/etc/postfix/helo_access.pcre
The last three restrictions (reject_invalid_hostname,
reject_non_fqdn_hostname, reject_unknown_hostname) cause me a small amount
of grief from false positives due to careless mailserver configuration;
conversely, they stop a lot of spam. I get very little traffic and I watch
my logs so I can afford to be this brutal[1]. Unless you're an 800-lb
gorilla with the patience of a Buddhist monk, you'll end up whitelisting a
number of domains whose admins are too lazy/stupid/hamstrung/arrogant to
fix their DNS and HELO announcements.
Aside: I'd love QoS for email. Either fix your DNS & HELO or you get to
talk to me at 300 baud +++
-- Bob
[1] Which IMHO is not very brutal at all. "Brutal" is dropping all traffic
from Asia, Russia, and LACNIC netspace or refusing connections based on
the SCBL.
