Loading ...
Sorry, an error occurred while loading the content.
 

How to disconnect if HELO gives my own IP address as client's host name?

Expand Messages
  • Rich Wales
    I ve been experiencing a huge number of spam attempts in which the host name given by the client in the HELO command is my own SMTP server s IP address (i.e.,
    Message 1 of 6 , Nov 27, 2005
      I've been experiencing a huge number of spam attempts in which
      the host name given by the client in the HELO command is my own
      SMTP server's IP address (i.e., HELO 171.66.155.243). As far
      as I can tell from my logs, the IP address in this case is =not=
      surrounded by square brackets.

      The recipient address in these SMTP sessions is almost always a
      random user name at my domain (which, of course, is rejected as
      unknown). On those rare occasions when a valid user name at my
      domain is given as the recipient (e.g., attempted delivery to a
      long list of user names, only one of which is valid), examination
      of the mail has confirmed it is indeed spam.

      I can't think of any possible legitimate reason why a "real" MTA
      would ever try to use the receiving server's IP address as its
      own host name in a HELO command (kind of like saying "Hi, I don't
      know your name, but I'm you"). And I can't really imagine trying
      (or even wanting to try) to track these connections down in order
      to see what's wrong. I'm inclined to simply disconnect as soon as
      I see the obviously bogus HELO, and accept the (minimal) risk of
      thereby losing some legitimate mail.

      Please note that I'm =not= saying I want my SMTP server to reject
      connections from itself. I'm saying I want to reject connections
      that (falsely) use my server's IP address as their host name in
      their HELO. Presumably, if my SMTP server were ever to try to do
      a connection to itself (does Postfix ever do this?), it would use
      its host name in the HELO, rather than its IP address.

      Now, I suppose I can use "check_helo_access" (with a suitable map)
      to catch and reject my own IP address used as a host name -- and
      additionally set "smtpd_hard_error_limit = 0" to cause an immediate
      disconnect after a single error. Is this the best way? Is it the
      only way?

      Rich Wales
      Palo Alto, California, USA
      richw@...
    • Wietse Venema
      See http://archives.neohapsis.com/archives/postfix/2004-03/2786.html And don t set the smtpd hard error count limit to 0, that disables it. Wietse
      Message 2 of 6 , Nov 27, 2005
        See http://archives.neohapsis.com/archives/postfix/2004-03/2786.html

        And don't set the smtpd hard error count limit to 0, that disables it.

        Wietse
      • Rich Wales
        ... OK, then, if I set it to 1, will that disconnect right away after the first error? Or will it disconnect only when the limit of 1 is exceeded (i.e.,
        Message 3 of 6 , Nov 27, 2005
          Wietse Venema wrote:

          > And don't set the smtpd hard error count limit to 0,
          > that disables it.

          OK, then, if I set it to 1, will that disconnect right away
          after the first error? Or will it disconnect only when the
          limit of 1 is "exceeded" (i.e., disconnect on the second
          error)?

          If I would have to wait for a second error before Postfix
          disconnects, I don't know if I can do what I want to do,
          because the second error presumably wouldn't happen until
          a subsequent RCPT command specified an unknown local address.

          Rich Wales richw@... http://www.richw.org
        • Magnus Bäck
          On Sunday, November 27, 2005 at 21:02 CET, ... Even worse, then. [...] ... Indeed, but by putting permit_mynetworks before check_helo_access it doesn t matter
          Message 4 of 6 , Nov 27, 2005
            On Sunday, November 27, 2005 at 21:02 CET,
            Rich Wales <richw@...> wrote:

            > I've been experiencing a huge number of spam attempts in which
            > the host name given by the client in the HELO command is my own
            > SMTP server's IP address (i.e., HELO 171.66.155.243). As far
            > as I can tell from my logs, the IP address in this case is =not=
            > surrounded by square brackets.

            Even worse, then.

            [...]

            > Please note that I'm =not= saying I want my SMTP server to reject
            > connections from itself. I'm saying I want to reject connections
            > that (falsely) use my server's IP address as their host name in
            > their HELO. Presumably, if my SMTP server were ever to try to do
            > a connection to itself (does Postfix ever do this?), it would use
            > its host name in the HELO, rather than its IP address.

            Indeed, but by putting permit_mynetworks before check_helo_access it
            doesn't matter what happens if Postfix should connect to itself.

            > Now, I suppose I can use "check_helo_access" (with a suitable map)
            > to catch and reject my own IP address used as a host name -- and
            > additionally set "smtpd_hard_error_limit = 0" to cause an immediate
            > disconnect after a single error. Is this the best way? Is it the
            > only way?

            If you really want to mess with smtpd_hard_error_limit, set it to one.
            But if you're going to reject messages with the fake HELO hostnames
            anyway, why bother changing smtpd_hard_error_limit?

            --
            Magnus Bäck
            magnus@...
          • Rich Wales
            ... OK, I understand now (and also tried it on a testing site to see how it works). smtpd_hard_error_limit=1 is indeed what I want. I would suggest that the
            Message 5 of 6 , Nov 27, 2005
              Magnus Bäck wrote:

              > If you really want to mess with smtpd_hard_error_limit,
              > set it to one.

              OK, I understand now (and also tried it on a testing site to see
              how it works). smtpd_hard_error_limit=1 is indeed what I want.

              I would suggest that the documentation for this configuration
              option (postconf.5.html#smtpd_hard_error_limit) should be revised
              to say that the server disconnects when the limit is =reached=.
              Saying (as it does now) that disconnection happens when the limit
              is =exceeded= will be understood by most readers as meaning "when
              the number of errors becomes greater than the limit" -- hence my
              initial confusion in thinking that I needed to set the limit to
              zero in order to disconnect when the number of errors reached one.

              In order to disconnect immediately after the bad HELO command,
              it appears I must also set "smtpd_delay_reject=no"; otherwise,
              the error doesn't appear until after the RCPT command. I recall
              some people saying that smtpd_delay_reject=no is a bad thing to
              do; what specific kinds of problems might I expect to see if I
              disconnect immediately after the first error (no matter when in
              the SMTP dialogue it happens to occur)?

              > But if you're going to reject messages with the fake HELO
              > hostnames anyway, why bother changing smtpd_hard_error_limit?

              Because if a client is committing this particular faux pas, I
              want nothing to do with it at all; I want to disconnect ASAP.
              I realize I won't get to see any MAIL or RCPT info from the
              client, but I frankly don't care (because I know it's going
              to be spam anyway). The error in my log saying that I got an
              invalid HELO from a given client host name / IP address is
              really all I need or want to see in this situation.

              Rich Wales richw@... http://www.richw.org
            • Victor Duchovni
              ... Many SMTP clients (including Postfix) do not take a 5XX during the SMTP greeting (or the HELO phase) to be a permanent error, and will keep on trying to
              Message 6 of 6 , Nov 27, 2005
                On Sun, Nov 27, 2005 at 08:33:12PM -0800, Rich Wales wrote:

                > Magnus B?ck wrote:
                >
                > >If you really want to mess with smtpd_hard_error_limit,
                > >set it to one.
                >
                > OK, I understand now (and also tried it on a testing site to see
                > how it works). smtpd_hard_error_limit=1 is indeed what I want.
                >
                > I would suggest that the documentation for this configuration
                > option (postconf.5.html#smtpd_hard_error_limit) should be revised
                > to say that the server disconnects when the limit is =reached=.
                > Saying (as it does now) that disconnection happens when the limit
                > is =exceeded= will be understood by most readers as meaning "when
                > the number of errors becomes greater than the limit" -- hence my
                > initial confusion in thinking that I needed to set the limit to
                > zero in order to disconnect when the number of errors reached one.
                >
                > In order to disconnect immediately after the bad HELO command,
                > it appears I must also set "smtpd_delay_reject=no"; otherwise,
                > the error doesn't appear until after the RCPT command. I recall
                > some people saying that smtpd_delay_reject=no is a bad thing to
                > do; what specific kinds of problems might I expect to see if I
                > disconnect immediately after the first error (no matter when in
                > the SMTP dialogue it happens to occur)?
                >

                Many SMTP clients (including Postfix) do not take a 5XX during
                the SMTP greeting (or the HELO phase) to be a permanent error,
                and will keep on trying to delete the mail until it expires.

                This means any legitimate senders who are collateral damage to
                the proposed policy don't find out that their mail is not getting
                through until days after they sent it.

                If you must reject bad helo strings and hang-up, do it in response
                to "mail from:".

                smtpd_delay_reject = no
                smtpd_client_restrictions =
                smtpd_helo_restrictions =
                smtpd_sender_restrictions =
                check_helo_access ...
                ... more UCE checks for all clients ...
                permit_mynetworks,
                ... more UCE checks for untrusted clients ...
                smtpd_recipeint_restrictions =
                permit_mynetworks,
                permit_sasl_authenticated,
                reject_unauth_destination

                Error limit of 1 is also dangerous if you persistently return 4XX for
                some recipient dependent error conditions. The good recipients never
                make it through. Make sure all the various reject codes are set to 5XX.

                --
                Viktor.

                Disclaimer: off-list followups get on-list replies or get ignored.
                Please do not ignore the "Reply-To" header.

                To unsubscribe from the postfix-users list, visit
                http://www.postfix.org/lists.html or click the link below:
                <mailto:majordomo@...?body=unsubscribe%20postfix-users>

                If my response solves your problem, the best way to thank me is to not
                send an "it worked, thanks" follow-up. If you must respond, please put
                "It worked, thanks" in the "Subject" so I can delete these quickly.
              Your message has been successfully submitted and would be delivered to recipients shortly.