Comments on: Wrong HELO http://spamhuntress.com/2006/01/23/wrong-helo/ Just another WordPress weblog Sat, 17 May 2008 04:32:53 +0000 http://wordpress.org/?v=2.0.7 by: Chris Mikkelson http://spamhuntress.com/2006/01/23/wrong-helo/#comment-2800 Fri, 27 Jan 2006 06:01:20 +0000 http://spamhuntress.com/2006/01/23/wrong-helo/#comment-2800 Yeah, there's a surprising amount of junk in EHLOs, especially considering that it's clearly defined in the standards, and relatively easy to get right (multihomed servers, split-horizon DNS, and NATs being the big edge cases). Fortunately, at least some of the junk is virtually 100% spam and can be blocked using check_helo_access (preferably with a generic error message -- some spammers are catching on, why help the rest?). My personal favorite is a financial services company mail server that HELOs as a string of 72 '#' characters. That almost has to be a firewall 'fixing' the HELO. Yeah, there’s a surprising amount of junk in EHLOs, especially considering that it’s clearly defined in the standards, and relatively easy to get right (multihomed servers, split-horizon DNS, and NATs being the big edge cases). Fortunately, at least some of the junk is virtually 100% spam and can be blocked using check_helo_access (preferably with a generic error message — some spammers are catching on, why help the rest?).

My personal favorite is a financial services company mail server that HELOs as a string of 72 ‘#’ characters. That almost has to be a firewall ‘fixing’ the HELO.

]]> by: Justin Mason http://spamhuntress.com/2006/01/23/wrong-helo/#comment-2676 Mon, 23 Jan 2006 19:49:45 +0000 http://spamhuntress.com/2006/01/23/wrong-helo/#comment-2676 What are "incorrectly configured HELO" strings? In my experience with SA, you can't assume that a HELO string will even share a TLD with any of the other attributes of the mail session so far (remote RDNS, MAIL FROM, remote IP, RCPT TO, header "From:" etc.). I'd expect a high false positive rate if that's the test. It's not really a matter of "incorrectly configured", it's a matter of "unrealistic expectations" ;) What are “incorrectly configured HELO” strings? In my experience with SA, you can’t assume that a HELO string will even share a TLD with any of the other attributes of the mail session so far (remote RDNS, MAIL FROM, remote IP, RCPT TO, header “From:” etc.). I’d expect a high false positive rate if that’s the test.

It’s not really a matter of “incorrectly configured”, it’s a matter of “unrealistic expectations” ;)

]]>