Re: [Sqlgrey-users] Proposal: Include HELO string in tables

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Michel Bouissou wrote the following on 01/13/05 09:34 :

>Hi there,
>
>I've noticed that some viruses happen to pass the greylisting because they 
>"insist" enough with the same From/To/IP_address triplet. However, they don't 
>always use the same HELO string (I've seen some that use some machine name, 
>always the same, but randomly append .com, .net or .org, which gives 3 
>possibilities : machine.com, machine.net or machine.org coming from the same 
>IP).
>
>Given that legit mailservers always use the same HELO string ;
>
>Given that some viruses don't, and some spambots use random HELO strings ;
>
>I propose that the HELO string should be added at least to the "connect" table 
>and being taken in account as well as the already considered parameters.
>
>  
>

I thought of that and even discussed this very same idea on 
postfix-users some time ago. I didn't have practical data to back my 
claims. Good to know that this wasn't only theoretical.
There's a new thing to take into consideration since then : smart and 
classc greylisting algorithms.

The problem is that connect and awl entries now can reference whole 
classc networks to cover for the farm of outgoing mailservers trying to 
send the same e-mail. In this particular case, if they don't use the 
same HELO string to connect (probably the case if they use their public 
hostname), these algorithms are defeated.

>I suggest that it could be good to consider adding it to the AWL tables as 
>well (may be useful in isolating spam where both a legitimate mailserver and 
>unlegitimate zombies come from the same IP address, i.e. a LAN with NAT 
>hosting both a legit mailserver and unlegit zombies which shouldn't send mail 
>directly).
>  
>

That was the reason I brought up for adding the HELO string to the 
greylisting process.

We could use it when the 'full' algorithm is used or when there's no 
valid reverse DNS when the 'smartc' alogrithm is used.

Added to my TODO, 1.5.x or latter. That will have to be tested carefully 
though...

Lionel.