Am So, den 13.11.2005 schrieb Craig McLean um 19:08: > > Perhaps in this case a better solution is that his MTA should be > > configured to reject any mail coming in with a HELO name that is not > > true (ie, your mailserver external hostname or IP). Fully agreed. Better rejecting the forgery at SMTP time than to first accept it and then classify it as spam. > [mini-snip] > You might well be right. On high-load systems a caveat, however, is that > if you do this with RDNS queries and it'll lead to a potential DoS. > > I haven't tested whether my mailserver will allow me to HELO with the > mailservers hostname but a phony IP. I suspect this will be covered > (assuming sendmail) by confPRIVACY_FLAGS or local-host-names. No, both don't. > C. Hints for some reading: 1) http://www.cs.niu.edu/~rickert/cf/bad-ehlo.html [ http://www.cs.niu.edu/~rickert/cf/hack/block_bad_helo.m4 ] 2) I always recommend to enhance Sendmail by using the MimeDefang milter. It both calls SpamAssassin and anti-virus scanners, and it can easily be customized doing specific things during the (E)SMTP stream. Talking about HELO/EHLO checks it can be easy like http://www.mimedefang.org/node.php?id=18 Other code examples to be found in the wiki http://www.mimedefang.org/kwiki/index.cgi?FilterExamples Alexander -- Alexander Dalloz | Enger, Germany | GPG http://pgp.mit.edu 0xB366A773 legal statement: http://www.uni-x.org/legal.html Fedora Core 2 GNU/Linux on Athlon with kernel 2.6.11-1.35_FC2smp Serendipity 19:31:24 up 15 days, 17:31, load average: 0.30, 0.25, 0.19
Attachment:
signature.asc
Description: Dies ist ein digital signierter Nachrichtenteil
