引述 Noel Jones <njo...@megan.vbhcs.org>:
On 7/17/2012 10:26 AM, LittleCho wrote:
Dear all,
I am not sure if this issue has been discussed.I am going to ask ,
I found Postfix will put the string which is used as hello name in
the received header. That is, if I try to using a fake name or ip as
my hello name during a SMTP conversation, postfix will output a fake
header in the mail and deliver it.
First, remember that a helo command is basically a comment, and is
always treated as such. The helo is never treated as verified,
reliable information.
Postfix records the helo command as given by the client in a
Received: header.
Although a client can give an IP as the helo name, it is still just
a comment and does not override the actual client IP, which is
impractical to fake. Neither postfix nor any anti-spam system will
ever use a helo IP in routing decisions.
Doesn't it make the anti-spam
product being confused when parsing the mail source and doing RBL
checking?
No. Helo information is well-known to be easily faked, and no
anti-spam nor RBL will rely on it for whitelisting.
Sometimes faked helo names can be used for blacklisting, such as if
a client uses "paypal.com" as helo, but the client hostname is
something like 189-68-88-213.dsl.telesp.net.br, it will be pretty
obvious to most anti-spam systems that it's not really paypal.
-- Noel Jones
Yes, please refer to the sample header shown below:
Received: from 1.175.147.22 (gate.tcssh.tc.edu.tw [203.71.212.252])
by mail.localdomain (Postfix) with ESMTP id 3903777002
for <little...@domain.tld>; Tue, 17 Jul 2012 22:38:54 +0800 (CST)
We can see the ip after from is "1.175.147.22" but the original source
"203.71.212.252". I am going to ask when the case is encountered, we
could find that those two column is mismatch, however, why not just
let postfix put the client IP after the from column but using the
hello name? I know some anti-spam product will do bottom up parsing
and may get the wrong source IP when trying to locate the sender IP.
It may effect the RBL checking result while we are using the IP with
better reputation as our hello name. And that is, some spammer will
try to use the ip address which our MTA is using as the hello name, if
we didn't set the hello check policy or we just want to let our policy
be not strict, the client may have the possibility to cheat our
post-filtering program. Thanks for your reply. :)
--
Best Regards,LittleCho
This message has been scanned for viruses and dangerous content and is
believed to be clean.
