From: Greg A. Woods (no email)
Date: Thu Nov 01 2001 - 02:45:14 EST
[ On Wednesday, October 31, 2001 at 20:17:45 (-0800), Ronald F. Guilmette wrote: ]
> Subject: Re: another interesting spam trick...
>
> Certainly, there are (as Wietse noted) a _lot_ of people... myself included...
> who have little or no control over the inverse DNS for their IPs. So trying
> anything that involves match against the inverse DNS of the client IP is a
> real loser.
However if you do just simple basic SMTP HELO/EHLO validation by looking
up the A RRs for the given name and comparing them to the source address
of the TCP connection then reverse DNS doesn't get involved _AT_ALL_.
(the only reason I mentioned reverse DNS was because if mis-configured
it can affect success in face of TCP Wrappers-style "paranoid" checks)
> Notice that I'm only talking about doing _forward_ DNS lookups (for either
> `A' records or else `MX' records) on the original domain name and on all
> ``trimmed'' versions of it, down to the second-level domain name. (No need
> to go any further with the ``trimming'' than that.)
NO! NO TRIMMING! That's what's bogus! You can NEVER make it mean
ANYTHING of any use! It's a waste of time & effort (esp. DNS lookups if
you do it as you imply above!).
> Quite a significant percentage of mail servers out there will pass this
> test, and only really really REALLY badly administered ones will not (and
> those are all substantially non-RFC-conformant, by the way).
That's _exactly_ what I said and documented with real and current
numbers: probably less than 10% of non-spammers fail the test (and even
including spammers it's only ~20% that fail).
BTW, those numbers mirror my ~4 years of very intensive experience with
doing these tests and monitoring the results. Since mid-1997 when I
started using this test things have improved somewhat w.r.t. the general
validity of client and DNS configuration, but given the growth since
then, and the tendency of newbies to make these mistakes, the overall
ratio of good to broken probably hasn't changed a whole lot. The
prevalence of broken firewalls is hurting some, and the number of idiots
who think they need real mailer hostnames in the same domain as their MX
aren't helping either (especially not when they blow past the limit of
PTRs a DNS reply can contain!).
> Still, having said that, I personally would not (and do not) use such a
> scheme as a basis for trying to reject spam. The false postive rate for
> this kind of a scheme is still too high for my tastes... even though I am
> really pretty tolerant/liberal when it comes to such things... and there
> are just better and more accurate ways of getting rid of spam.
The spammers continue to abuse HELO/EHLO and thus the test continues to
be as valuable as ever.
> The numero uno way to get rid of the majority of all spam, at present, is
> to use one or more good quality open relay blocking lists, like for example
> ordb.org.
Oh, absolutely! No question about that!
> The next best way to get rid of spam is to block known sources, which can
> be done using MAPS RBL, or SPEWS, or the domain-based blocking lists that
> I publish.
Nope -- that's completely wrong. In the real world HELO/EHLO validation
blocks a lot more spam than MAPS RBL or SPEWS (I've not used your list)
ever could. I used all the MAPS services up until they went private and
I watched the stats very carefully.
> Your basic premise is incorrect. Doing _any_ sort of validation (other
> than mere syntax validation) on the parameter given in a HELO/EHLO is _not_
> ``a good front-line measure against spammers''. Quite the contrary. It's
> a pretty lousey basis for spam filtering, relative to the other alternatives
> (which produce lower false positive rates).
You can believe what you want, but I've been analysing literally tens of
thousands of spams over the past four years and I assure you that
HELO/EHLO validation is a very valuable anti-spam measure! It's a
"front-line" measure because it stops the lamers and the other obvious
abusers right off the bat without having to use any other listing
services or checks in any part of the message.
> you will note that nontheless, spammers will VERY often
> send you a greeting like:
>
> HELO oemcomputer
Only the real lame spammers do that. Many these days are using
"localhost.localdomain" or "[127.0.0.1]" or other such tricks to bypass
all the normal syntax checks. You need real DNS-based validation to
catch the former (the latter are easy to catch if you always validate
the literal against the actual source address of course :-).
The rest of them use something like "HELO aol.com", and some are even
smarter and use "HELO <<my-isp.net>>" (eg. from my example, "HELO
home.com") and that's another reason why basic trimming to find a
``domain name'' is useless (and any other form of trimming requires
valid reverse DNS).
-- Greg A. Woods +1 416 218-0098 VE3TCP <> <> Planix, Inc. <>; Secrets of the Weird <> - To unsubscribe, send mail to with content (not subject): unsubscribe postfix-users
|
|
|