Broken HELO [was: tlug: Naive VM question]

["Stephen J. Turnbull" <turnbull@example.com>]

It's not my place to comment publically on policy decisions (RFC
violations are a public matter, that's different and you need to
defend the violation, not tell me to defend the fact that I noticed
it ;-), so this goes directly to you.

>>>>> "Craig" == Craig Oda <craigoda@example.com> writes:

    Craig> On Wed, 29 Apr 1998, Stephen J. Turnbull wrote:

    >> Many MTA implementers think this is a stupid restriction, and
    >> that refusing to accept mail from a host with a broken HELO is
    >> a smart anti-spam device.  IMHO they're wrong on both counts,
    >> but I don't implement MTAs....

    Craig> There are several anti-spam measures taken on the TWICS
    Craig> mail system due to the high visibility of an ISP and the

That is of course your right and duty.  I disagree with this
particular measure for the following reasons:

(1) I have not received spam directly from a broken mailer _ever_
    (well, in the last 1432 messages in my abuse file).  All spam
    received directly comes from professional spamming domains.
    Typically a host lookup on those addresses works while they're
    spamming, and fails shortly thereafter.

(2) Spam which gets laundered through a compliant but insecure MTA
    cannot get caught this way, even if the spammer's HELO is broken.

(3) I don't know what TWICS does if the PTR lookup of TCP connection
    IP address doesn't match the HELO address; I know that many ISPs
    forward those with "may be forged" tags on them.  This is clearly
    inconsistent with refusing purely on the basis of a broken HELO,
    though.  It's far more likely that a broken HELO is due to poor
    configuration (often of the DNS) or a change in the DNS than to
    intent to launder a spam.  A HELO address with a MX or A record
    that doesn't match the PTR of the TCP connection is far more
    likely to be spam, but even there the majority of mismatches occur 
    because of multihomed domain names.

(4) I have had mail to TWICS refused because my local DNS was broken,
    resulting in delays of hours, and in one case more than a day.

This particular measure is just more trouble than it's worth.  It's
not that hard to parse the received headers so that you can eventually
catch the forgeries, and though it may be expensive, you can short
circuit that (in the long run, anyway) by keeping a cache of
trustworthy domains that don't forge headers and check for them in the 
HELO command and TCP connection.

Of course, I don't know of any MTAs that do that, and I don't know of
any that are modular enough to make it easy to implement.

Steve

---------------------------------------------------------------
Next Nomikai: 15 May Fri, 19:30 Tengu TokyoEkiMae 03-3275-3691
Next TLUG Meeting: 13 June Sat, Tokyo Station Yaesu gate 12:30
Featuring Stone and Turnbull on .rpm and .deb packages
---------------------------------------------------------------
a word from the sponsor:
TWICS - Japan's First Public-Access Internet System
www.twics.com  info@example.com  Tel:03-3351-5977  Fax:03-3353-6096