Re: How do I prevent bogus HELO ?

Tue, 21 Dec 2021 18:53:36 -0800 

On Tue, Dec 21, 2021 at 10:06:29AM -0500, post...@ptld.com wrote:

> Spamhaus is just one company you can use, there are several others,
> I am not making any claims or recommendations to them over any
> other. They do allow free usage for low volume servers which is why i
> use them.

Just a data point. When I added RBL checking,
I used four different services:

  zen.spamhaus.org
  dnsbl-1.uceprotect.net
  bl.spamcop.net
  dnsbl.sorbs.net

I found that the last three blocked too much solicited
commercial email. I only continued to use spamhaus
(even though it has bad policies relating to IPv6 - grr).

Whatever you choose, keep an eye on false positives
with a smart monitoring system, or by regularly running
a script like this:

        #!/usr/bin/env perl
        use warnings;
        use strict;

        # chkrbl - Scan maillogs to check for RBL related errors

        # Jul 26 10:48:43 ook postfix/smtpd[23844]: NOQUEUE: reject: RCPT from 
planeta-dsp.ru[212.41.22.11]: 554 5.7.1 Service unavailable; Client host 
[212.41.22.11] blocked using dnsbl.sorbs.net; Currently Sending Spam See: 
http://www.sorbs.net/lookup.shtml?212.41.22.11; from=<i...@s7.planeta-dsp.ru> 
to=<i...@local.org> proto=ESMTP helo=<s7.planeta-dsp.ru>
        # Jul 26 11:06:17 ook postfix/smtpd[23955]: NOQUEUE: reject: RCPT from 
unknown[125.112.166.175]: 554 5.7.1 Service unavailable; Client host 
[125.112.166.175] blocked using dnsbl-1.uceprotect.net; IP 125.112.166.175 is 
UCEPROTECT-Level 1 listed. See 
http://www.uceprotect.net/rblcheck.php?ipr=125.112.166.175; 
from=<bseou...@chemistry.or.jp> to=<requ...@local.org> proto=ESMTP 
helo=<qvartz-com.mail.protection.outlook.com>
        # Jul 26 11:37:36 ook postfix/smtpd[24241]: NOQUEUE: reject: RCPT from 
unknown[180.112.190.23]: 554 5.7.1 Service unavailable; Client host 
[180.112.190.23] blocked using dnsbl-1.uceprotect.net; IP 180.112.190.23 is 
UCEPROTECT-Level 1 listed. See 
http://www.uceprotect.net/rblcheck.php?ipr=180.112.190.23; 
from=<uxhad...@mdsusa.net> to=<d...@local2.org> proto=ESMTP 
helo=<us-smtp-inbound-2.mimecast.com>
        # Jul 26 11:51:28 ook postfix/smtpd[24370]: NOQUEUE: reject: RCPT from 
unknown[122.243.130.146]: 554 5.7.1 Service unavailable; Client host 
[122.243.130.146] blocked using dnsbl-1.uceprotect.net; IP 122.243.130.146 is 
UCEPROTECT-Level 1 listed. See 
http://www.uceprotect.net/rblcheck.php?ipr=122.243.130.146; 
from=<rimq...@indutrade.se> to=<majord...@local.org> proto=ESMTP 
helo=<mx1.zone.eu>
        # Jul 26 12:07:43 ook postfix/smtpd[24477]: NOQUEUE: reject: RCPT from 
mail.sewef.ru[109.237.96.47]: 554 5.7.1 Service unavailable; Client host 
[109.237.96.47] blocked using dnsbl-1.uceprotect.net; IP 109.237.96.47 is 
UCEPROTECT-Level 1 listed. See 
http://www.uceprotect.net/rblcheck.php?ipr=109.237.96.47; 
from=<cour...@sewef.ru> to=<apetri...@local.org> proto=ESMTP 
helo=<mail.sewef.ru>
        # Jul 26 12:07:43 ook postfix/smtpd[24514]: NOQUEUE: reject: RCPT from 
mail.sewef.ru[109.237.96.47]: 554 5.7.1 Service unavailable; Client host 
[109.237.96.47] blocked using dnsbl-1.uceprotect.net; IP 109.237.96.47 is 
UCEPROTECT-Level 1 listed. See 
http://www.uceprotect.net/rblcheck.php?ipr=109.237.96.47; from=<t...@sewef.ru> 
to=<apetri...@local.org> proto=ESMTP helo=<mail.sewef.ru>
        # Jul 26 12:22:02 ook postfix/smtpd[24637]: NOQUEUE: reject: RCPT from 
unknown[39.88.9.219]: 554 5.7.1 Service unavailable; Client host [39.88.9.219] 
blocked using dnsbl-1.uceprotect.net; IP 39.88.9.219 is UCEPROTECT-Level 1 
listed. See http://www.uceprotect.net/rblcheck.php?ipr=39.88.9.219; 
from=<you...@gametag.pl> to=<us...@local2.org> proto=ESMTP helo=<smtp.kis.si>
        # Jul 26 12:25:36 ook postfix/smtpd[24643]: NOQUEUE: reject: RCPT from 
unknown[125.112.166.175]: 554 5.7.1 Service unavailable; Client host 
[125.112.166.175] blocked using dnsbl-1.uceprotect.net; IP 125.112.166.175 is 
UCEPROTECT-Level 1 listed. See 
http://www.uceprotect.net/rblcheck.php?ipr=125.112.166.175; 
from=<sbaewy...@gracetyler.org> to=<us...@local.org> proto=ESMTP 
helo=<novasoftware-de.mail.protection.outlook.com>
        # Jul 26 12:39:59 ook postfix/smtpd[24927]: NOQUEUE: reject: RCPT from 
unknown[124.238.84.16]: 554 5.7.1 Service unavailable; Client host 
[124.238.84.16] blocked using dnsbl-1.uceprotect.net; IP 124.238.84.16 is 
UCEPROTECT-Level 1 listed. See 
http://www.uceprotect.net/rblcheck.php?ipr=124.238.84.16; 
from=<rure...@ecommerce-europe.eu> to=<annou...@local.org> proto=ESMTP 
helo=<antispam2.ku.ac.th>

        @ARGV = ('/var/log/mail.log.1', '/var/log/mail.log') unless @ARGV;
        my $prev_date = '';

        while (<>)
        {
                next unless /Service unavailable.*blocked using ([^;]+);/;
                my ($rbl) = $1;
                my ($date) = $_ =~ /^(\w+\s{1,2}\d{1,2})\s/;
                print("$date:\n"), $prev_date = $date unless $date eq 
$prev_date;
                my ($from, $to, $helo) = $_ =~ 
/from=<([^>]*)>.*to=<([^>]*)>.*helo=<([^>]*)>/;
                # Add code here to exclude anything that's obviously a false 
positive
                printf("rbl=%-30s helo=%-40s to=%-30s from=%s\n", $rbl, $helo, 
$to, $from);
        }

Any false positives that turn up need to be added to a
hash/regexp/pcre check_client_access database.

With only spamhaus, I haven't had to add a list of
exceptions (so far). You're mileage may vary.

Note that spamhaus (and possibly other RBL services)
won't work via a public DNS server like 8.8.8.8. But
it's best to run a local, DNSSEC-validating DNS
resolver anyway, so that your Postfix server can become
DANE-aware with:

  /etc/postfix/main.cf:
  smtp_dns_support_level = dnssec
  smtp_tls_security_level = dane

cheers,
raf

Reply via email to