- Previous message: Matt Fretwell: "Re: Trouble starting postfix"
- Maybe in reply to: Cami: "Re: Helo greylisting?"
- Next in thread: Cami: "Re: Helo greylisting?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
|
|
|
From: Wietse Venema (no email)
Date: Mon Aug 01 2005 - 07:40:02 EDT
Cami:
[ Charset ISO-8859-1 unsupported, converting... ]
> Wietse Venema wrote:
> > Cami:
> >
> >> Tony Earnshaw wrote:
> >>
> >>> Ok, it might happen once or even twice if a mailadmin discovered that
> >>> he'd made a mistake.
> >>
> >> This appears to not be a mistake of any kind. You get
> >> MTA's that are on roaming/floating ips. In the tests
> >> done on my previous mails, legit/genuine MTA's appear
> >> to do this very little though.
> >
> > It may be possible to allow for variation in the host part of
> > host.example.com, and to allow any HELO name that resolves to
> > the client IP address or its /28 block, and..., and...
>
> Looking further at overnight results, I'm not sure that
> is warranted: (these are hosts that bypassed all UCE
> restrictions+greylisting):
Typical example of ham:
client address helo hostname
> +---------------+-----------------+
> | 216.221.81.25 | fep3.cogeco.net |
> | 216.221.81.25 | fep4.cogeco.net |
> | 216.221.81.25 | fep6.cogeco.net |
> +---------------+-----------------+
...
> So its roughly 50/50 spammers and legit hosts who change their
> helo information and still make it past all the restrictions.
> Of the legit hosts, none of them appear to use more than 3
> unique helo's.
That would depend on the size of a site. In your HAM examples, the
HELO hostnames are in the same domain, and the names shown above
resolve to the client IP address. This is easy to recognize.
So it looks like we have a mechanism that can (at least for now)
recognize spamware by the way it announces itself in HELO commands.
Please keep collecting data in case there are other legitimate
reasons for multiple MTA identies behind one IP address.
Wietse
|
|
|