Subject: Re: Sendmail and spam question
To: Chuck Yerkes <chuck+nbsd@2003.snew.com>
From: John Klos <john@sixgirls.org>
List: netbsd-help
Date: 07/30/2003 17:41:19
Hi,

> > 1) That the IP address of the connecting server is in the list of IPs
> > returned by DNS A and MX RR of the name given in HELO/EHLO.
>
> So if my server says "HELO internal-only-interface-name" like
> so many dual homed machines do, you don't accept?

Yes, of course. The RFC is quite clear that the server MUST provide a
correct name or address literal. And an internal-only-interface-name is
not a correct name or address literal in the context of an SMTP server
on the Internet.

> > 2) That if HELO/EHLO gives an address literal, the address matches that of
> > the connecting server (Sendmail doesn't do this check!)
> For good reason.

I am quite amazed that Sendmail doesn't already do this. I think I'll
email them.

> > 3) (optional) Simply reject email from mail servers which try to give an
> > address literal.
>
> eww.

If a person doesn't have DNS set up, then he / she should not be running
an SMTP server, I think. Registering a domain and pointing a record at a
machine is easy no matter what kind of connection the server has. There
are also tons of free DNS services, both static and dynamic.

This is primarily an option I'd like to have because of the explosive
growth of infected Windows computers which are used to send SPAM. Most
will not have DNS pointing to them because they were never intended to be
SMTP servers. While they could use the DNS name given by the upstream ISP,
I see a lot of email which appears to come from infected computers using
address literals. I've seen no legitimate email come from a server which
uses an address literal, and if I did, I'd contact that email server's
administrator.

> > Now, if someone could help me figure out how to have Sendmail check these,
> > I'd be very, very appreciative!
>
> Examine the mail that's NOT spam and see how many break this behaviour.
> I did a "DEFER" on all mail without reverse DNS.  Several non-spam messages
> (key being more than none) failed this test.  DEFER meant that I could
> log it for a day, remove the test and the mail did not get lost.

Yes, I've examined all of the mail going through my server (about 8-10
thousand a day, which I guess I should have mentioned).  Aside from one
false positive, I have not seen any legitimate email come from machines
which would fail my simple criteria.

> The best way to check for spam is to check the CONTENT of the mail.
> Checking "HELO" might be worth NOTING in, say, spamassassin, but
> it's not worth giving it a full YEAH/NAY decision power on.

I disagree. While content checking might be useful, I am not interested in
that. That will never be anything but a temporary stop-gap. On the other
hand, whether or not the connecting server is set up p