On the other hand, we always look for ways to 'tighten' up..
Years ago, we were among the first to reject connections from IP(s)
without rDNS/PTR records, and now that is pretty well industry standard.
More and more, if you want to deliver email in today's environments, you
have to ensure your email servers are correctly configured.
And we test our rules, by slow adoption, and see where if it generates
false positives. On HELO/EHLO, we first started insisting that there
was at least one present, then that it was a FQDN, and 'at least'
configured, (eg not localhost.localdomain) and not an IP Address, and
those rules have been able to evolve into absolute blocking, with
virtually no false positives, however insisting on that the HELO matches
the PTR etc, which might be recommended best practices by some, still in
the real world doesn't work..
However, moving towards RFC is always something we strive for, and often
we can introduce them as 'scoring' techniques.. (HELO's being often
forged by spammers) until it gets to the point, where the false positive
rates are low enough that they can be introduced as policies.
Interestingly, this is the first time in a long time that a false
positive was escalated to my attention pertaining to illegal characters
in the 'hostname' portion of a HELO/EHLO.
A quick look at some statistics shows that almost every HELO policy hit
was related to IP literals in the HELO (typical bot activity) and
spammers using the unqualified hostname, (mostly bots)
Will have to ask for some updated numbers to confirm actual counts, but
so far see a virtually zero case scenario, that and the fact that it
isn't technically correct, means we have reached the point where making
it a standard seems logical ;)
Be interesting to see other larger providers statistical numbers on
legitimate email servers with non-rfc style HELO
On 17-01-11 10:53 AM, Brandon Long via mailop wrote:
Yeah, we looked at blocking underscores in helo arguments last year when
we went on an rfc enforcement rampage, but gave up, it's too common. We
did start blocking email addresses, http urls, regular expressions,
spaces, and a bunch of other similar wackiness.
We don't allow them in domains for MAIL FROM for MX/relay, which caught
out about a dozen root@ type relays. For MSA, we overwrite the sender
anyways, so we ended up allowing it there, as there are a bunch of IP
cameras and the like which are just plain broken and unlikely to ever
get fixed, not to mention bad windows software which uses the local
machine's name, which is allowed to have an underscore.
We treated it as a data loss issue, if you send us a message with a
bogus sender, we can't bounce mail to you on delivery failure. Granted,
one could extend that type of argument all the way to trying to validate
senders also receive mail, but practicality seems more useful.
Brandon
On Wed, Jan 11, 2017 at 10:31 AM, Steve Atkins <st...@blighty.com
<mailto:st...@blighty.com>> wrote:
> On Jan 11, 2017, at 10:12 AM, Michael Peddemors <mich...@linuxmagic.com
<mailto:mich...@linuxmagic.com>> wrote:
>
> Noticed that they are using underscores in their hostnames used in the
HELO/EHLO..
>
> https://www.ietf.org/rfc/rfc1034.txt
<https://www.ietf.org/rfc/rfc1034.txt>
>
> p3plsmtp09-04_26.prod.phx3.secureserver.net
<http://p3plsmtp09-04_26.prod.phx3.secureserver.net>
>
> Comments from the list?
>
> While a lot of 'loosening' up on domain name(s) encoding has occurred,
haven't seen anything that has changed to allow underscores in the host name
portion, which I 'believe' is still restricted to letter-number-hyphen.
Underscores in hostnames have been not uncommon for at least a
couple of decades. It's a violation of 5321 to use them in EHLO, but
unless you're more interested in RFC-lawyering than delivering email
you probably want to be liberal in what you accept there.
Cheers,
Steve
--
"Catch the Magic of Linux..."
------------------------------------------------------------------------
Michael Peddemors, President/CEO LinuxMagic Inc.
Visit us at http://www.linuxmagic.com @linuxmagic
------------------------------------------------------------------------
A Wizard IT Company - For More Info http://www.wizard.ca
"LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd.
------------------------------------------------------------------------
604-682-0300 Beautiful British Columbia, Canada
This email and any electronic data contained are confidential and intended
solely for the use of the individual or entity to which they are addressed.
Please note that any views or opinions presented in this email are solely
those of the author and are not intended to represent those of the company.
_______________________________________________
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
