On 13 jan. 2012, at 21:13, email builder wrote:
>>> We use a modified version as a HELO blacklist. This avoids the false
>>> positives we saw while testing it as a reverse DNS restriction but,
>>> because the use of the reverse hostname as the HELO string is a
>>> common pattern in spam attempts from compromised hosts, it's still
>>> very effective.
>>
>> Interesting... can you provide specific details on what you mean by
>> 'modified version'?
>
> I second that. I'm feeling convinced enough to use it as it was
> intended, BUT ideally, I don't desire rejecting even those stubborn
> people who insist on running their email server from their bedroom
> without relaying through their ISP.
>
> Do you have a script that modifies the list into whatever format your
> method requires?
>
> Does anyone have any comments on the efficacy of this method?
>
> I assume all it would take is for bots to change the way they
> create their HELO hostname to bypass this.
The modifications are rather basic, really.
We've commented out some lines that were giving us false positives,
and modified the REJECT message to match its context, as well as
adding the error code we use for post processing and the like.
Legitimate mail servers aren't an issue for us, since they do not
use the reverse DNS string as their HELO greeting, and therefore
they do not get rejected. They might get rejected for other reasons
(hello 'sbs2003.local'!) but that's not during this step.
It's currently maintained by hand, as automating it would take
more time that it'd save right now. Premature optimization etc.
As for bots changing their habits, I am not worried. New patterns
do emerge at times, but old habits die hard. If at some point it
turns out that it is no longer as effective, like after an upgrade
to 2.8 or higher, it will be reevaluated.
Cya,
Jona
--
P.S.: As for false positives, we had to comment out the following;
/^dd[1-9][0-9]{3,5}\.kasserver\.com$/
/^h[1-9][0-9]{3,7}\.stratoserver\.net$/
They are the default HELO strings for DS/VPS providers here in
Europe. The reverse DNS has often been updated to match the
domain name of the main website or whatever, so it tends to be
unique to our way of using the list.
We have tried in the past to get people to update their HELO, but
that turned out to be futile, and the amount of FPs we get from
it are higher than the spam attempts blocked.
Hence their removal from the list. YMMV, of course :-)
