Mailing List Archive

On 14.09.20 14:35, Philipp Ewald wrote:
>we have one customer the reported problems about HELO. We send the RFC821 HELO for only DOMAIN not FQDN.
>The customer scanning the helo and check the PTR and if the PTR don't match the HELO there is SPAM rating.

this is forbidden by any SMTP RFCs issued so far.

that customer is apparently losing too much mail - last time I checked,
google, aol, yahoo SMTP servers used HELO strings that did not resolve back
to those IPs.

what really matters is:

1. the PTR of connecting should be resolvable and the resulting hostname
should resolve back to the IP.

2. the name in HELO/EHLO should be resolvable and should have A/AAAA record

>I don't really like that but we think about to check the HELO too.
>
>Does anyone else checks the HELO/ELHO?

very few.

--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Saving Private Ryan...
Private Ryan exists. Overwrite? (Y/N)

> that customer is apparently losing too much mail - last time I checked,
> google, aol, yahoo SMTP servers used HELO strings that did not resolve back

Year - i thought there will be many false positive.

> what really matters is:
>
> 1. the PTR of connecting should be resolvable and the resulting hostname
> should resolve back to the IP.
>
> 2. the name in HELO/EHLO should be resolvable and should have A/AAAA record

Check ;-)

>> Does anyone else checks the HELO/ELHO?
>
> very few.

Thanks for feedback!

I will not check HELO.

Kind regards
Philipp

Am 14.09.20 um 15:08 schrieb Matus UHLAR - fantomas:
> On 14.09.20 14:35, Philipp Ewald wrote:
>> we have one customer the reported problems about HELO.  We send the RFC821 HELO for only DOMAIN not FQDN.
>> The customer scanning the helo and check the PTR and if the PTR don't match the HELO there is SPAM rating.
>
> this is forbidden by any SMTP RFCs issued so far.
>
> that customer is apparently losing too much mail - last time I checked,
> google, aol, yahoo SMTP servers used HELO strings that did not resolve back
> to those IPs.
>
> what really matters is:
>
> 1.  the PTR of connecting should be resolvable and the resulting hostname
>   should resolve back to the IP.
>
> 2.  the name in HELO/EHLO should be resolvable and should have A/AAAA record
>
>> I don't really like that but we think about to check the HELO too.
>>
>> Does anyone else checks the HELO/ELHO?
>
> very few.
>

--
Philipp Ewald
Administrator

DigiOnline GmbH, Probsteigasse 15 - 19, 50670 Köln
Telefon: +49 221 6500-532, Fax: +49 221 6500-690, E-Mail: philipp.ewald@digionline.de

AG Köln HRB 27711, St.-Nr. 5215 5811 0640
Geschäftsführer: Werner Grafenhain

Informationen zum Datenschutz: www.digionline.de/ds

On Mon, 14 Sep 2020, Philipp Ewald wrote:

> Does anyone else checks the HELO/ELHO?

I don't check for FCrDNS explicitly, but I do reject non-FQDN HELO strings
(e.g. no dots present) from the Internet. That catches a surprising
percentage of garbage up front.


--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
If asking Hillary to disarm is a call for her assassination,
then asking the American people to disarm is calling for
their genocide. -- Jeff Ingebritson
-----------------------------------------------------------------------
3 days until the 233rd anniversary of the signing of the U.S. Constitution

On 14 Sep 2020, at 17:22, John Hardin wrote:

> On Mon, 14 Sep 2020, Philipp Ewald wrote:
>
>> Does anyone else checks the HELO/ELHO?
>
> I don't check for FCrDNS explicitly, but I do reject non-FQDN HELO
> strings (e.g. no dots present) from the Internet. That catches a
> surprising percentage of garbage up front.

I greylist (what I usually do not do) when a HELO-string does not
resolve with a PTR-record.

Niels

>>On Mon, 14 Sep 2020, Philipp Ewald wrote:
>>>Does anyone else checks the HELO/ELHO?

>On 14 Sep 2020, at 17:22, John Hardin wrote:
>>I don't check for FCrDNS explicitly, but I do reject non-FQDN HELO
>>strings (e.g. no dots present) from the Internet. That catches a
>>surprising percentage of garbage up front.

On 14.09.20 17:43, Niels Kobsch?tzki wrote:
>I greylist (what I usually do not do) when a HELO-string does not
>resolve with a PTR-record.

PTR? the helo string should be an A or AAAA.
Do you check PTR of those addresses?
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
I feel like I'm diagonally parked in a parallel universe.

>On Monday, September 14, 2020, 05:23:13 PM GMT+2, John Hardin <jhardin@impsec.org> wrote:

>I don't check for FCrDNS explicitly, but I do reject non-FQDN HELO strings  (e.g. no dots present) from the Internet. That catches a surprising
> percentage of garbage up front.


+1

-----Pedreter

On Mon, 14 Sep 2020 15:08:57 +0200
Matus UHLAR - fantomas wrote:


> last time I
> checked, google, aol, yahoo SMTP servers used HELO strings that did
> not resolve back to those IPs.

I just looked at few and they all have HELO matching the recorded rDNS.

Are you basing that on PDS_NO_HELO_DNS? That rule FP'ed on any server
using IPv6 because it only checked for IPv4 rDNS.

It's gone now, I wonder if anyone tried fixing it before it was removed.

On Mon, 14 Sep 2020 23:03:28 +0100
RW wrote:

>
> Are you basing that on PDS_NO_HELO_DNS? That rule FP'ed on any server
> using IPv6 because it only checked for IPv4 rDNS.

That should have been: only checks for an A record.

On 14 Sep 2020, at 11:22, John Hardin wrote:

> On Mon, 14 Sep 2020, Philipp Ewald wrote:
>
>> Does anyone else checks the HELO/ELHO?
>
> I don't check for FCrDNS explicitly, but I do reject non-FQDN HELO
> strings (e.g. no dots present) from the Internet. That catches a
> surprising percentage of garbage up front.

Is that after passing a greeting delay?

I get a fair stream of no-dot EHLO/HELO names, but nearly all of it is
caught by postscreen as the introduction being offered before the
greeting banner has been fully sent. Just 11 instances of just 2 unique
IPs giving an unqualified name after waiting for the banner in recent
weeks, vs 12k fast-talkers.


--
Bill Cole
bill@scconsult.com or billcole@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not For Hire (currently)

On Mon, 14 Sep 2020, Bill Cole wrote:

> On 14 Sep 2020, at 11:22, John Hardin wrote:
>
>> On Mon, 14 Sep 2020, Philipp Ewald wrote:
>>
>>> Does anyone else checks the HELO/ELHO?
>>
>> I don't check for FCrDNS explicitly, but I do reject non-FQDN HELO strings
>> (e.g. no dots present) from the Internet. That catches a surprising
>> percentage of garbage up front.
>
> Is that after passing a greeting delay?

I do also reject for pre-greeting traffic.

> I get a fair stream of no-dot EHLO/HELO names, but nearly all of it is caught
> by postscreen as the introduction being offered before the greeting banner
> has been fully sent. Just 11 instances of just 2 unique IPs giving an
> unqualified name after waiting for the banner in recent weeks, vs 12k
> fast-talkers.

It looks like the bulk of my non-FQDN traffic is not pre-greeting but I'm
currently being hammered by a few IPs in MSFT space so that may be
throwing off my quickie analysis.

--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
An AR-15 in civilian hands used to defend a home or business:
a High Velocity Assault Weapon with High Capacity Magazines
An AR-15 in Law Enforcement Officer hands used to murder six kids:
a Police-Style Patrol Rifle
-----------------------------------------------------------------------
3 days until the 233rd anniversary of the signing of the U.S. Constitution

>On Mon, 14 Sep 2020 15:08:57 +0200
>Matus UHLAR - fantomas wrote:
>> last time I
>> checked, google, aol, yahoo SMTP servers used HELO strings that did
>> not resolve back to those IPs.

On 14.09.20 23:03, RW wrote:
>I just looked at few and they all have HELO matching the recorded rDNS.
>
>Are you basing that on PDS_NO_HELO_DNS? That rule FP'ed on any server
>using IPv6 because it only checked for IPv4 rDNS.

No, i was pulling from memory.

However, as already said, this requirements violates RFC (and we don't to
argue with anyone that we violate RFCs).

We should be the good guys, who follow RFC, so nobody can blame us from
causing any issue by not following it.

>It's gone now, I wonder if anyone tried fixing it before it was removed.

--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety. -- Benjamin Franklin, 1759