Wednesday, 17. March 2004
PermaLink Rejecting Netsky at source (554)
A while ago, we implemented a tweak devised by Daniel Koffler which permits the rejection at source (SMTP protocol 554 response) of any SMTP email where the host connecting to deliver that email uses one of our own local host names or public IP addresses as its HELO/EHLO phrase.

You may recall that I said this was a bulletproof spam indicator -- no false positives.

Well, yesterday while analysing activity for March 2004 to date to see which of our many abuse countermeasures are delivering the greatest benefit and to look for possible false positives, I spotted that these rules for blocking based on HELO seemed to be triggering very often. In fact there were 578 so far this month, with two weeks left to go. At this rate there will be well over 1,100 hits on these rules in the month compared with perhaps 20 or 30 per month when we first implemented this tweak.

This is where my first doubts set in and I even posted to Notes.net LDD developerWorks about it at the time.

Could there be a legitimate reason why a remote host would use HELO my.fully.qualified.host.name when delivering email?

Well, we changed the Domino HELO rules to move messages to a quarantine database instead of rejecting at source as before. I needed to see some samples. Curiously, not a single message ended up in this quarantine database.

Next, checked the virus log. There they were! Asked Google about Netsky HELO. And right here we have an answer *.

Ladies and Gentlemen, I hereby modify my advice on the use of the HELO/EHLO phrase to reject email at source as follows:

The use of your own host names, IP addresses or Internet domains in the HELO/EHLO phrase during an inbound SMTP transaction is not a bulletproof spam indicator. It is a bulletproof spam or virus indicator.

So I commend the concept to you once again -- Really! No false positives!

Update 12 Jan 2005: * That link at unixwiz.net, a blog permalink, is now 404 - make that a tempalink. The gist of it was that many Netsky variants' SMTP engines do in fact say HELO/EHLO with the domain name of the victim.

Category: Domino: Administration
Technorati:

Comments :

1. Mark Dowling03/05/2006 16:29:27
Homepage: http://cork2toronto.blogspot.com


Chris

Wayback has a copy:
http://web.archive.org/web/20040402025609/http://www.unixwiz.net/blog/archives/001173.html



2. Dave05/07/2006 22:21:07


Help Please...

My Domino server is responding to a HELO command with the wrong IP address. I've looked everywhere and can't find where this is pulled from. Can you tell me where this IP is coming from?

Thanks
Dave



3. Chris Linfoot06/07/2006 08:27:57


Well behaved MTAs do not respond to HELO with an IP address at all. They respond with their fully qualified host name. On a Domino server, the server document field "Fully qualified Internet host name:" holds the FQHN and this is the value used in responding to HELO.



Unable to post a comment? Please read this for a possible explanation...
Add Manual Trackback
Please enter the details of the trackback post. Your trackback will not appear on the site until it has been verified. This won't be immediate, as trackbacks are validated on a scheduled basis. Be patient.











Search
Popular Categories
Blogs
Coffee and Cats
Computing Systems Fundamentals
DNSBLs
Domino Administration
Domino Whitelist
Dumb and Dumber
Flickr
SMTP AUTH
Show n Tell
Software
Spam
Spam Statistics
T'Internet
Trunk Monkeys
Viruses and Worms
Wallace and Gromit
Whitelisting
Wii
Monthly Archive
2008
2008
2008
2008
2008
2008
Full Archive
Other stuff
Anti-Spam Tools
Misc Links
Land banking information
ClustrMaps
Locations of visitors to this page
Contact Me
email - Chris Linfoot
skypeme
Meta
Proudly powered by IBM Lotus Domino 8 Proudly powered by IBM Lotus Domino 8

Subscribe to articles Subscribe to articles feed

Subscribe to comments Subscribe to comments feed

ROR info ROR info


My Amazon wish list Wishlist


Wikio - Top Blogs - Technology
Like what I do?
Research Autism Then please consider a donation to support the work of Research Autism.
Idea Jam
Planet Lotus
Dilbert