Am 18.04.2024 schrieb Sebastian Arcus via mailop <mailop@mailop.org>:
> On 18/04/2024 13:44, Marco Moock via mailop wrote: > > Am 18.04.2024 schrieb Sebastian Arcus via mailop > > <mailop@mailop.org>: > >> The mention of HELO is what threw me off - and I kept on thinking > >> that it's not possible, as port 25 is blocked. But I completely > >> missed the point that even authenticated connections on 587 will > >> use HELo - I think? > > > > They require auth, so they will use EHLO. :-) > > Although no difference here. > > > > The EHLO/HELO FQDN can't be used to abuse something. If it is the > > FQDN with matching reverse/forward DNS, it is fine. > > > > When submitting mail to 465/587, the machine will use its name (most > > likely no a FQDN), but that is not a problem because MSAs must not > > check that name - it would fail most of the time. > > In that case I think I am back to square one. If an infected device > connecting to 587/465 to various servers on the internet, from our > network, to try and guess passwords/break into accounts wouldn't have > used the FQDN of our public IP as HELO - then that's not what is > going on. It could use that, but that is equal for the attack. You definitely need more information from them, unless identifying and resolving the problem is impossible. _______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
