Re: Mail Servers blocking BAD Helo

[Ed Weinberg <edw () q5comm com>]

We did a survey of our clients and found that they receive no email from
China.  About Four years ago I read an article in one of the free weekly
IT magazines about how China was going to have problems doing business
with the world in the future because so many company were rejecting all
China email outright.

Over the next year or two I examined a lot of spam and using commands
like "traceroute" and Arins lookups I put together my own blacklist of
Chinese ip addresses.  At one point that list was blocking about 40% of
the email to my server.  I do know that a minute does not go by when I
don't reject China email.


On Sat, 2005-01-08 at 01:57 +0200, Sebastian@Helsinki wrote:
> Brandon,
>
> You said you're blocking most email from "specific" countries. I agree 
> that most emails from eg. .tw and .cn are very likely to be spam but you 
> will be blocking lots of legitimate email aswell. You might want to try 
> RBLs such as
>   list.dsbl.org,
>   cbl.abuseat.org,
>   relays.ordb.org,
>   opm.blitzed.org,
>   sbl.spamhaus.org,
>   dnsbl.sorbs.net
> to sort out commonly known sources.
>
> In my experience, sadly enough, too many clients and relay servers 
> exhibit the phenomenon of not prividing a FQDN. Filtering by that will 
> result in lots of false positives.
>
> Regards,
>
>  -Sebastian
>
>
>
> David Sherman wrote:
>
> > Brandon,
> >
> > That is a good question. I know the box will handle multiple domains but
> > I am not sure about the ability to segregate them so that folks from
> > each virtual domain can administer their own domain. I do know they have
> > models that will allow end-user to go in and decide for themselves what
> > is and is not spam. Here is the link to their contact page.
> > http://www.barracudanetworks.com/company/contact.php?l=en_US they ought
> > to be able to let you know definitively if they can meet your needs
> >
> > David 
> >
> > -----Original Message-----
> > From: Brandon Lee [mailto:lee.bran () gmail com] 
> > Sent: Thursday, January 06, 2005 1:06 AM
> > To: David Sherman
> > Cc: security-basics () securityfocus com
> > Subject: Re: Mail Servers blocking BAD Helo
> >
> > David,
> >
> > Thanks for your recommendation.  It seems kinda nice product.  Are you
> > using it as a central anti-spam filtering or allow different virtual
> > domains to handle their own spam rules?  What i need is something that
> > can do virtual domains to handle their own spam rules, because we have
> > situation like this particular virtual domain user wants to blacklist an
> > email address which another virtual domain user wants to recieve.
> >
> > Regards
> > Brandon
> >
> > On Wed, 5 Jan 2005 14:14:06 -0700, David Sherman
> > <dsherman () newfrontierbank com> wrote:
> >  
> >
> > > Brandon,
> > >
> > > Barracuda Networks has an appliance that uses Spam Assassin and 
> > > receives/filters all incoming email. It does a good job of cutting 
> > > down on the spam. I've had it running for a year and it blocks 75% of 
> > > the incoming email without causing us to miss legitimate mail.
> > >
> > > David
> > >
> > > -----Original Message-----
> > > From: Brandon Lee [mailto:lee.bran () gmail com]
> > > Sent: Friday, December 31, 2004 11:47 PM
> > > To: security-basics () securityfocus com
> > > Subject: Re: Mail Servers blocking BAD Helo
> > >
> > > Hi all,
> > >
> > > Thanks alot for the sharing of your experiences.
> > >
> > > Well, i guess i would have to drop that BAD HELO implementation in the
> > >    
> >
> >  
> >
> > > form of business point of view.  However, what kinda spam filtering do
> > >    
> >
> >  
> >
> > > you guys think will be less resource intensive?  Currently im using 
> > > Spamassassin and its sitting together on the POP servers(as well as 
> > > webmail), however, it seems that too much spam mails are clogging up 
> > > the system resources.  im currently using qmail(with FEH patch) + 
> > > maildrop + vpopmail + spamassassin on the POP servers to d the
> > >    
> > filterings.
> >  
> >
> > > The result of the previous trial did reflect a huge number of spam 
> > > mails coming directly to the MX servers because we have setup a remote
> > >    
> >
> >  
> >
> > > smtp server for our clients to sent out emails to avoid them using MS 
> > > email client connecting to MX to send emails directly(which will also 
> > > avoid MS email client's drawback of doing HELO with system name
> > >    
> > instead of FQDN.
> >  
> >
> > > Last but not least, Happy New Year to you people.
> > >
> > > Regards
> > > Brandon
> > >
> > > On Thu, 30 Dec 2004 17:15:58 -0500, Roger A. Grimes 
> > > <roger () banneretcs com> wrote:
> > >    
> > >
> > > > In my experiencing, too many MTA's don't comply.  Enforcing 
> > > > compliance
> > > >      
> > > >
> > > > resulted in too many lost legitimate emails over the last year for 
> > > > me,
> > > >      
> > > >
> > > > so I turned it off.  I was surprised by how many large and popular 
> > > > MTA's don't comply, and surprised by how much email my company was 
> > > > missing because I stuck to my guns for a year.  Not worth it.
> > > >
> > > > -----Original Message-----
> > > > From: Anthony J. Cogan [mailto:anthony.cogan () thinkunix com]
> > > > Sent: Thursday, December 30, 2004 1:44 PM
> > > > To: brandon () xcodes net
> > > > Cc: security-basics () securityfocus com
> > > > Subject: Re: Mail Servers blocking BAD Helo
> > > >
> > > > Well the technical side of me says if they do not conform to the 
> > > > SMTP RFC's then it's the ISP's fault....
> > > >
> > > > However, the business side of me says you must keep your customers 
> > > > happy, they are the ones thay pay your salary and all your toys.  
> > > > Even
> > > >      
> > > >
> > > > if it means not implementing something because another vendor isn't 
> > > > doing something right.
> > > >
> > > > If you are an ISP, your customers demand and should expect reliable 
> > > > e-mail communications.
> > > >
> > > > We have our SPAM filters turned quite high and blocking the majority
> > > >      
> >
> >  
> >
> > > > of foreign countries, but we have a couple customers that require 
> > > > email to/from specific countries, so we have opened up those 
> > > > specific
> > > >      
> > > needs.
> > >    
> > >
> > > > If your customer can't receive e-mail from someone they wish to 
> > > > communicate with, they will leave your business for someone who will
> > > >      
> >
> >  
> >
> > > > provide them the service.  They don't know about, nor do they care 
> > > > about RFC conformity, they just want their e-mail.
> > > >
> > > > It's a delicate balance.
> > > >
> > > > brandon () xcodes net wrote:
> > > >
> > > >      
> > > >
> > > > > Hi People,
> > > > >
> > > > > Not quite sure if this is OT but would require opinions to assist 
> > > > > me in
> > > > >        
> > > > >
> > > > > making decision of whether to block "BAD HELO" at SMTP level.  
> > > > > Below is
> > > > >        
> > > > >
> > > > > a brief desciption of the situation:
> > > > > My company's mail server are reciving alot of spams with non-DQDN 
> > > > > HELO greetings during the smtp conversation.  We are using 2 
> > > > > front-end MX servers whcih does smtp routes to the relevant POP 
> > > > > servers.  We have actually tried to implement blocking of all helo 
> > > > > greetings that are not
> > > > >        
> > > > >
> > > > > in FQDN format on one of the servers and the result seems to be
> > > > >        
> > good.
> >  
> >
> > > > > However, the only problem that we faced is there other other ISP 
> > > > > ain't using FQDN in their HELO greetings.
> > > > >
> > > > > We do have a couple of clients who are complaining that they are 
> > > > > unable
> > > > >        
> > > > >
> > > > > to receive mails from certain ISPs, which from our checks in the 
> > > > > SMTP
> > > > >        
> > > > >
> > > > > logs, the servers are using "MySMTP1" sort of HELO greetings.
> > > > >
> > > > > Now my management are asking me on this issue if we should fully 
> > > > > implement such feature across the other MX servers or should we 
> > > > > withdraw such feature fully from the MX servers.  From my readings 
> > > > > on
> > > > >        
> > > > >
> > > > > the SMTP RFCs, they have indicated that SMTP servers must configure
> > > > >        
> >
> >  
> >
> > > > > its
> > > > >        
> > > > >
> > > > > hostname to FQDN which will be used in HELO Greetings(if im not
> > > > >        
> > > wrong).
> > >    
> > >
> > > > > Im also wondering if there are any other ISP using such 
> > > > > implementation(Blocking BAD HELO greetings) on their SMTP Servers, 
> > > > > any idea?
> > > > >
> > > > > Would welcome all opinions on this issue.
> > > > >
> > > > > Thanks
> > > > > Brandon
> > > > >
> > > > >
> > > > >
> > > > >        
> > > >      
> > > --
> > > rgds
> > > Brandon
> > >
> > >
> > >    
> >
> >
> > --
> > rgds
> > Brandon
> >  
--

Attachment: signature.asc
Description: This is a digitally signed message part