Jason Clifford wrote: [...]
You may safely reject any SMTP connection that announces itself this way (HELO compuserve.com)
Just be sure you only match on "compuserve.com" as if you match subdomains you'll be blocking email from a lot of people.
Yes, exactly that. In postfix, one would create a regexp (or pcre) access map and do something like (note the anchors)
/^compuserve\.com$/ REJECT haw haw haw, you're not fooling me
As for a blocking a lot of people, I guess it depends on who you talk to. In the past three months only one message (in ~300k) has come in from a compuserve machine. Funny how things change.
yahoo.com is another one to look for. Their servers announce themselves using FQDNs. Hotmail doesn't, may they roast in hell.
It's that a given?
I can't quite parse that. What I mean is that legitimate Yahoo! servers announce themselves with, e.g., HELO web20701.mail.yahoo.com or HELO n31.grp.scd.yahoo.com (and is the same as the reverse lookup on the IP address).
Any legitimate hotmail server, however, will announce itself as HELO hotmail.com, just like a spammer would. So you can't distinguish them at this level. You can usually distinguish legitimate hotmail servers with a reverse lookup, but I have rejected mail in the past from them because their DNS wasn't set up correctly and it came back nxdomain. Maybe a new machine being brought online. I dunno, it's hotmail, I wasn't particularly fussed.
If you get this to work there are two other easy ones to block: HELO 1.2.3.4 (where 1.2.3.4 is the public IP address of your MTA) and HELO example.com (where example.com is your domain name).
And HELO localhost as well as HELO [ any unqualified hostname ]
And anying ending in .local .localdomain .internal .isp .test ...
That will block some legitimate mail, because of retards running mailservers in dire need of a clue (next, next, next, ok, finish). Antivirus MTA front-ends are a good source of garbage HELO strings.
David
