Mailing List Archive

> -----Original Message-----
> From: Jonathan Nichols [mailto:jnichols@pbp.net]
> Sent: Monday, February 23, 2004 3:43 PM
> To: spamassassin-users@incubator.apache.org
> Subject: Good way to tag stupid HELO response?
>
>
>
> Here's the big problem. Big company, lots of Exchange
> servers, some that
> aren't set up to send an FQDN as a HELO.
>
> The result:
> Feb 23 10:04:16 mailgate postfix/smtpd[16182]: 71DBD13FF3:
> reject: RCPT
> from mail.rt.firstam-reis.com[206.103.66.185]: 404 <reisdal01smxs01>:
> Helo command rejected: need fully-qualified hostname;
> from=<mkissinger@firstam.com> to=<jnichols@pbp.net> proto=ESMTP
> helo=<reisdal01smxs01>
>
> That's a valid sender, to a valid domain, but the Exchange server just
> sends its hostname as the HELO. I have tried without success
> to contact
> the powers-that-be to change that.
>
> Here's a totally bogus HELO from a spammer:
>
> Feb 23 12:18:59 mailgate postfix/smtpd[20065]: AAE0913FF3:
> reject: RCPT
> from sr-245.srge01.resnet.ubc.ca[142.103.50.245]: 404 <SALLY>: Helo
> command rejected: need fully-qualified hostname;
> from=<flnmsdyjnztldrfc@mindspring.com> to=<jnichols@cheese.pbp.net>
> proto=SMTP helo=<SALLY>
>
> I'm rejecting bogus HELOs, but it's tripping up on legitimate email.
> I'd rather just tag it and whitelist the appropriate senders.
>
> Which test should I mark up? I checked through the lists of tests and
> found a few, but I'm not sure of exactly what I should add to
> merely tag
> the bogus HELO senders..
>
> Thanks!
>

These might give you some help. Not exactly what you are looking for, but
closest I have.

header WORKSTATION_NAME Received =~ /^from \w+
\(\[\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\]\)/
describe WORKSTATION_NAME Header includes a server with no FQDN.
score WORKSTATION_NAME 0.35

header WORKSTATION_NAME2 Received =~ /^from
\[\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\]\n/
describe WORKSTATION_NAME2 Received is missing a FQDN, IP only.
score WORKSTATION_NAME2 0.11

header WORKSTATION_NAME3 Received =~ /^from \(.?\[.?\].?\)\b/
describe WORKSTATION_NAME3 Contains an empty Recieved IP.
score WORKSTATION_NAME3 0.31

header WORKSTATION_NAME4 Received =~ /^from unknown \(\w+ \w+\)\b/
describe WORKSTATION_NAME4 Received contains an unknown FQDN with possible
HELO.
score WORKSTATION_NAME4 0.11

header WORKSTATION_NAME5 Received =~ /^from \(HELO \w+\)
\[\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\] by /
describe WORKSTATION_NAME5 RCVD has no FQDN and a HELO.
score WORKSTATION_NAME5 0.11

header WORKSTATION_NAME6 Received =~ /^from \w+ \((\w+\.)?\w+\.\w+\.\w+
\[\d{1,3}\./
describe WORKSTATION_NAME6 RCVD has FQDN inside IP parens after a
workstation name.
score WORKSTATION_NAME6 0.33

header WORKSTATION_NAME7 Received =~ /^from
\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3} \((\w+\.)?\w+\.\w+\.\w+ \[\d{1,3}\./
describe WORKSTATION_NAME7 RCVD has IP, then IP inside parens, then IP
inside Brackets.
score WORKSTATION_NAME7 0.11

Chris Santerre
System Admin and SA Custom Rules Emporium keeper
http://www.merchantsoverseas.com/wwwroot/gorilla/sa_rules.htm
'It is not the strongest of the species that survives,
not the most intelligent, but the one most responsive to change.'
Charles Darwin

On Mon, 23 Feb 2004, Jonathan Nichols wrote:

>
> Here's the big problem. Big company, lots of Exchange servers, some that
> aren't set up to send an FQDN as a HELO.
>
> The result:
> Feb 23 10:04:16 mailgate postfix/smtpd[16182]: 71DBD13FF3: reject: RCPT
> from mail.rt.firstam-reis.com[206.103.66.185]: 404 <reisdal01smxs01>:
> Helo command rejected: need fully-qualified hostname;
> from=<mkissinger@firstam.com> to=<jnichols@pbp.net> proto=ESMTP
> helo=<reisdal01smxs01>
>
> That's a valid sender, to a valid domain, but the Exchange server just
> sends its hostname as the HELO. I have tried without success to contact
> the powers-that-be to change that.
[snip..]

You do realize that the rejection is due to your postfix
configuration, SpamAssasssin has nothing to do with it.
SpamAssasssin by itself is not capable of rejecting anything.

Reconfigure your postfix to not block based upon the HELO and then
work on your SpamAssasssin config to do the tagging.


--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{

>
> You do realize that the rejection is due to your postfix
> configuration, SpamAssasssin has nothing to do with it.
> SpamAssasssin by itself is not capable of rejecting anything.
>

Yes, I realize that Postfix is doing that. I want to remove that check
because legitimate mail is being bounced, but I don't want a flood of
spam to get through either.

On Mon, 23 Feb 2004, Jonathan Nichols wrote:

> Yes, I realize that Postfix is doing that. I want to remove that check
> because legitimate mail is being bounced, but I don't want a flood of
> spam to get through either.

Good. I'd concentrate on using SA to look at more clues than just
the HELO. Demanding a FQDN HELO is a bit -too- anal. ;)

The only only reliable spam-signs I've found from HELOs are:
1) if the HELO == my server name or IP address. (nobody can be
me except me. ;)
2) a small set of commonly abused names such as "test" "localhost"
"TmpStr" "oemcomputer" ... (of course these could just be misconfigured
clients, or PCs sending viri ;)
3) if the HELO == big-name site (hotmail.com, yahoo.com, aol.com, ...)
and the DNS-PTR for the client IP != the corresponding domain.
IE a spammer who is trying to masquerate as a big-name site.
You have to watch out here tho, if there is a DNS fubar, the
DNS-PTR may fail eventho the IP is correct. (IE a DNS lookup
can return a 'yes', 'no' or 'no answer now' type status). Before
I implemented the DNS status check, I dumped a bunch of hotmail
when Microsoft had a DNS FUBAR. ;)

I've implemented these 3 checks in my MTA as part of a spam pre-filter
along with DNS-RBLs, and used SA to take care of the rest.

Dave

--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{

Hi,

On Mon, 23 Feb 2004, Jonathan Nichols wrote:

> > You do realize that the rejection is due to your postfix
> > configuration, SpamAssasssin has nothing to do with it.
> > SpamAssasssin by itself is not capable of rejecting anything.
>
> Yes, I realize that Postfix is doing that. I want to remove that check
> because legitimate mail is being bounced, but I don't want a flood of
> spam to get through either.

FWIW, I just watch my mail logs and whitelist the very few "legitimate"
servers that are set up improperly (currently 17.)

In main.cf I have:

smtpd_helo_restrictions = permit_mynetworks,
check_helo_access pcre:/etc/postfix/helo_access.pcre,
reject_invalid_hostname,
reject_non_fqdn_hostname,
reject_unknown_hostname

and /etc/postfix/helo_access.pcre contains entries like:

/smtp\d+\.prometric\.com$/ OK
/^mc9-s18\.hotmail\.com$/ OK

Additionally, I reject mail with obviously bad HELOs (e.g. localhost, my
IP range, bare dotted-quad, etc.:)

/^<?\d+\.\d+\.\d+\.\d+>?/ 450 HELO is an IP literal; try again with a real hostname
/66\.143\.181\./ 550 You really don't know who you are, do you?
/^localhost$/ 450 Please fix your HELO to point to an actual host
/^localhost.localdomain$/ 450 Please fix your HELO to point to an actual host

<rant>
I'm going to reiterate - if an outbound MTA doesn't have a static IP
address, fDNS, rDNS, and doesn't HELO with a FQDN that matches its IP
address, it is _broken_. The solutions are simple and cheap and by no
means onerous; fix your DNS or find a friend or ISP to smarthost through.
People can argue all they want about these restrictions being stricter
than the minimum specified by RFC; others don't pay my bandwidth bills.
Probability is on my side - the vast majority of legitimate mail servers
already meet these criteria and the vast majority of spam sources don't.
I'm one person with a very small network and if I can do it, a paid
professional mail admin certainly can too.
</rant>

-- Bob

> Probability is on my side - the vast majority of legitimate mail servers
> already meet these criteria and the vast majority of spam sources don't.
> I'm one person with a very small network and if I can do it, a paid
> professional mail admin certainly can too.
> </rant>
>

I happen to agree. It's not that hard to make everything match up,
usually. I'm only referring to large corporations with farms of Exchange
servers, not someone running a mail server on a DSL line.

It might be a good idea when testing new postfix settings to use "warn"
instead, if at all possible. When all seems well, finalize your settings
with "reject". I'd also highly recommend not using
"reject_unknown_hostname". It does stop a lot of spammers cold but it's
amazing how many valid hosts have an improperly configured dns.

>> -----Original Message-----
>> From: Jonathan Nichols [mailto:jnichols@pbp.net]
>> Sent: Monday, February 23, 2004 3:43 PM
>> To: spamassassin-users@incubator.apache.org
>> Subject: Good way to tag stupid HELO response?
>>
>>
>>
>> Here's the big problem. Big company, lots of Exchange
>> servers, some that
>> aren't set up to send an FQDN as a HELO.
>>
>> The result:
>> Feb 23 10:04:16 mailgate postfix/smtpd[16182]: 71DBD13FF3:
>> reject: RCPT
>> from mail.rt.firstam-reis.com[206.103.66.185]: 404 <reisdal01smxs01>:
>> Helo command rejected: need fully-qualified hostname;
>> from=<mkissinger@firstam.com> to=<jnichols@pbp.net> proto=ESMTP
>> helo=<reisdal01smxs01>
>>
>> That's a valid sender, to a valid domain, but the Exchange server just
>> sends its hostname as the HELO. I have tried without success
>> to contact
>> the powers-that-be to change that.
>>
>> Here's a totally bogus HELO from a spammer:
>>
>> Feb 23 12:18:59 mailgate postfix/smtpd[20065]: AAE0913FF3:
>> reject: RCPT
>> from sr-245.srge01.resnet.ubc.ca[142.103.50.245]: 404 <SALLY>: Helo
>> command rejected: need fully-qualified hostname;
>> from=<flnmsdyjnztldrfc@mindspring.com> to=<jnichols@cheese.pbp.net>
>> proto=SMTP helo=<SALLY>
>>
>> I'm rejecting bogus HELOs, but it's tripping up on legitimate email.
>> I'd rather just tag it and whitelist the appropriate senders.
>>
>> Which test should I mark up? I checked through the lists of tests and
>> found a few, but I'm not sure of exactly what I should add to
>> merely tag
>> the bogus HELO senders..
>>
>> Thanks!
>>