Quoting John Klos (john@sixgirls.org):
> Hello,
> 
> First, I wish to make it clear that I do not want to start a discussion
> about whether or not I should be doing what I want to do. Whether or not
> anyone believes that there are good reasons for servers to lie about who
> they are is not something I care to discuss.
> 
> I'd like to ask for someone's help to configure Sendmail to peform some
> very basic tests. The tests I'd like to do are very simple.
> 
> RFC 2821 says that we "SHOULD NOT" check HELO/EHLO names, but it also says
> that sending servers "MUST" give a proper HELO/EHLO name or address
> literal (RFC defined "SHOULD NOT" and "MUST"). So on my more aggressive
> host, I'd like to do the following checks:
> 
> 1) That the IP address of the connecting server is in the list of IPs
> returned by DNS A and MX RR of the name given in HELO/EHLO.

So if my server says "HELO internal-only-interface-name" like
so many dual homed machines do, you don't accept?

> 2) That if HELO/EHLO gives an address literal, the address matches that of
> the connecting server (Sendmail doesn't do this check!)
For good reason.

> 3) (optional) Simply reject email from mail servers which try to give an
> address literal.

eww.

> I've examined all of the spam I've received over the past few months, and
> it seems that around 75% of all of the spam that does get past my current
> filters (spamcop and orbd) would be blocked by #1, and that of all of the
> servers which connect with address literals, half would be rejected by #2.
> I have seen one false positive (the admin of the sending server was happy
> to add a DNS entry for his SMTP server), and no instance of legitimate
> email which came from a server which used an address literal.
> 
> Now, if someone could help me figure out how to have Sendmail check these,
> I'd be very, very appreciative!

Examine the mail that's NOT spam and see how many break this behaviour.
I did a "DEFER" on all mail without reverse DNS.  Several non-spam messages
(key being more than none) failed this test.  DEFER meant that I could
log it for a day, remove the test and the mail did not get lost.


The best way to check for spam is to check the CONTENT of the mail.
Checking "HELO" might be worth NOTING in, say, spamassassin, but
it's not worth giving it a full YEAH/NAY decision power on.

Dual homed machines, NAT boxes and (big one) the fact that the RFCs
don't mandate that the HELO argument must be reversable etc.

The RMX proposals fail pretty badly too.

I use spam assassin extensively and it's done me well, for free.
I do things like add a point if there's no reverse DNS for the
relay.  I can't block - too many REALLY CLUEFUL people have clueless
ISPs.  Often it's without real choice (clueless ISP @10Mb/s or
28800 modem - pick one).  I can't punish them for it, but I
can give the note a bump towards spam tagging.

Content keeps it down.