On Mon, 14 Sep 2020, Bill Cole wrote:
On 14 Sep 2020, at 11:22, John Hardin wrote:
On Mon, 14 Sep 2020, Philipp Ewald wrote:
Does anyone else checks the HELO/ELHO?
I don't check for FCrDNS explicitly, but I do reject non-FQDN HELO strings
(e.g. no dots present) from the Internet. That catches a surprising
percentage of garbage up front.
Is that after passing a greeting delay?
I do also reject for pre-greeting traffic.
I get a fair stream of no-dot EHLO/HELO names, but nearly all of it is caught
by postscreen as the introduction being offered before the greeting banner
has been fully sent. Just 11 instances of just 2 unique IPs giving an
unqualified name after waiting for the banner in recent weeks, vs 12k
fast-talkers.
It looks like the bulk of my non-FQDN traffic is not pre-greeting but I'm
currently being hammered by a few IPs in MSFT space so that may be
throwing off my quickie analysis.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
An AR-15 in civilian hands used to defend a home or business:
a High Velocity Assault Weapon with High Capacity Magazines
An AR-15 in Law Enforcement Officer hands used to murder six kids:
a Police-Style Patrol Rifle
-----------------------------------------------------------------------
3 days until the 233rd anniversary of the signing of the U.S. Constitution
