On 18/04/2024 13:44, Marco Moock via mailop wrote:
Am 18.04.2024 schrieb Sebastian Arcus via mailop <mailop@mailop.org>:
The mention of HELO is what threw me off - and I kept on thinking
that it's not possible, as port 25 is blocked. But I completely
missed the point that even authenticated connections on 587 will use
HELo - I think?
They require auth, so they will use EHLO. :-)
Although no difference here.
The EHLO/HELO FQDN can't be used to abuse something. If it is the FQDN
with matching reverse/forward DNS, it is fine.
When submitting mail to 465/587, the machine will use its name (most
likely no a FQDN), but that is not a problem because MSAs must not
check that name - it would fail most of the time.
In that case I think I am back to square one. If an infected device
connecting to 587/465 to various servers on the internet, from our
network, to try and guess passwords/break into accounts wouldn't have
used the FQDN of our public IP as HELO - then that's not what is going
on. The Spamhaus info mentions the HELO being our public IP FQDN.
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
