SEO

hmm, on Wed, Aug 29, 2007 at 05:24:29PM -0700, Marco S Hyman said that
> > Okay for spamd to record bogus helo?
>
> I trap numeric domains (an address litteral would contain brackets,
> i.e. [1.2.3.4], so are allowed), non domain literals (got to have at
> least one . in the name), domains that don't have an A or MX record,

you wouldn't want to do this. sure, in a happy, nice world this would
be ok, but there's just too many legitimate servers sending out bogus
helo's. if your clients do business with small companies (like we do)
that have either no money to pay an admin, or their admins have no clue,
you will block legitimate mail... and not just small companies
actually, big banks, etc, i could list names, but i won't... i have
written hundreds of mails to admins to fix this, i even have a template
in 3 languages... i also have a script that checks postfix logs for
possible legitimate mails with invalid helo's.
of course exchange servers are true winers here, but i have seen unix
servers do the wrong thing.... esp. if they set helo to an internal
machine name that does not resolve from the outside.


if you use postfix (you really should), the following will reject most
of the bad stuff, that is, if they survive the greylisting. but careful,
this is ultra-strict, you must check logs if your users are shy to
complain:

/etc/postfix/main.cf:

smtpd_delay_reject = yes
smtpd_helo_required = yes

smtpd_client_restrictions =
check_client_access hash:/etc/postfix/access

smtpd_helo_restrictions =
permit_mynetworks
check_client_access hash:/etc/postfix/client_checks
reject_invalid_hostname
reject_non_fqdn_hostname
reject_unknown_hostname

smtpd_sender_restrictions =
reject_unlisted_sender
reject_non_fqdn_sender
reject_unknown_sender_domain

smtpd_recipient_restrictions =
permit_mynetworks
reject_unauth_destination
reject_non_fqdn_recipient
reject_unknown_recipient_domain

smtpd_data_restrictions = reject_unauth_pipelining

header_checks = regexp:/etc/postfix/header_checks


whitelist your clients' clueless business partners in /etc/postfix/client_checks

for a much more forgiving config change to above to

smtpd_helo_restrictions =
permit_mynetworks
# reject_invalid_hostname
# reject_non_fqdn_hostname
# reject_unknown_hostname

because i did nothing else but wrote love letters to clueless admins
who either ignored me unless i cc'd the top management or asked me
what am i talking about and sure they fix it gladly, if i tell them how....

these postfix settings are also on 2 linux boxen, without greyfiltering.
the strict settings catch a LOT of spam, actually 60-80% of them,
so spamassassin was mostly idle. with the laxed helo settings
this went down by 60-80%

there is an RFC ignorant world out there, and SMTP is just so broken...

on my openbsd box i have no client side spam filters... just
pf+postfix. i get bank scams, maybe 1 in 3 days... i can't even
bother to bayes myself, no need..

-f
--
"how you doing today?" "fine doc." "that'll be $95 please"