LuKreme wrote, at 03/13/2009 07:22 AM:
> So I thought I'd see if anyone else thought that a helo in the form
> [12.34.56.789] SHOULD be allowed. I mean, as far as I recall, this is
> still technically allowed, right?
A bracketed IP address is valid in a HELO/EHLO, but is so rare in
legitimate mail that it's still worth blocking. At one point, it was
being heavily abused, but not so much recently, probably because it's
such an easily implemented, low cost check. Here's a simple (although
inexact) variation:
/^\[[\d\.]*\]$/ REJECT IP literal in HELO not accepted here
I've implemented this on a site that handles a substantial amount of
international email (including China) without any reports of false
positives. Few, if any, legitimate servers will use a bracketed IP
address as a default, so even a poorly managed server is unlikely to
present one.
> I've thought about simply going back to warn, but when I first
> implemented this check it hit a few dozen a day, and now it hits many
> hundreds, so searching for legitimate messages among the warnings will
> be considerably harder.
It seems to be a safe and effective block unless you have a need for
bracketed IP addressess in you own network.
> My complete helo_checks.pcre looks like this:
> !/[[:alpha:]]/ REJECT helo non-alpha helo not allowed
> to talk to me
> !/\.[[:alpha:]]{2,}$/ REJECT helo no TLD, invalid hostname
Either of these will give you enough of a clue to investigate any
problem report. If you want a more specific error message, look at the
example I provided. It includes the brackets, so will narrow down the
results if you're still concerned about monitoring.
