EHLO/HELO [was blacklists]

To: debian-isp@lists.debian.org
Subject: EHLO/HELO [was blacklists]
From: Mark Bucciarelli <mark@easymailings.com>
Date: Thu, 9 Dec 2004 08:39:12 -0500
Message-id: <[🔎] 200412090839.12251.mark@easymailings.com>
In-reply-to: <[🔎] DA38483C3310DC0CB31AEF60@d216-220-25-60.dynip.modwest.com>
References: <[🔎] 415112373.20041205105403@onee.sk> <[🔎] 20041207214751.GF18870@taz.net.au> <[🔎] DA38483C3310DC0CB31AEF60@d216-220-25-60.dynip.modwest.com>

On Tuesday 07 December 2004 17:55, Michael Loftis wrote:
> --On Wednesday, December 08, 2004 08:47 +1100 Craig Sanders
>
> <cas@taz.net.au> wrote:
> >> Now I reject by 554 code...  should I change to 4xx?
> >
> > if it suits your needs.  i wouldn't.
>
> I have to agree with that statement.  For us it suits our needs very
> well. I don't mind handling the extra retry traffic if it means
> legitimate mail on a 'grey/pink' host is just temporarily rejected or
> delayed while they clean up, in fact this is far more desireable for us.
>  Complaints of 'lost' mail went up when we were using permanent fatal
> codes as an experiment. Yes legitimate hosts get blacklisted, but
> legitimate hosts will retry, and if they don't well, it's their problem,
> not ours.  We're telling them 454 listed on spamciop see URL of whatever
> (I'm obviously paraphrasing)

I've been following this thread with great interest.

I'm wondering if the same 4XX technique could apply to EHLO/HELO 
checks--with automatic whitelisting thrown in.

If spammers never retry, couldn't you watch the logs and when you see a 
retry, add that IP to EHLO/HELO whitelist?  (And generate a report so you 
can check up on this later.)  Folks on the courier-user list have reported 
that the EHLO/HELO whitelist becomes quite stable after a while.

I've recently turned on EHLO/HELO validation and am encouraged by how 
effective it is.  WIth RBL's (spamcop and dnsbl) and SpamAssassin 3, only 
88% of spam was stopped.  So far, it's 100%.  (This is a _very_ small 
sample--one email account for one day, but the change is dramatic from my 
perspective.)

And what's to stop spammers from starting to retry?  Does it double their 
cost of doing business?  If I then require a second retry, does it triple 
their cost?

If I want to hack the courier backport package to force an invalid EHLO to 
get a 4XX instead of the hardcoded 517, are these the correct steps (taken 
from Debian Quick Reference, Ch. 3):

apt-get source courier
dpkg-source courier.dsc
cd courier-0.47
... edit source
dpkg-buildpackage -rfakeroot -us -uc
su -c "dpkg -i courier-mta.deb"

Is that correct?

How do I change the newly-built package name, and what do I change it to so 
apt-get update/upgrade will find a new release uploaded to backports.org?

Regards,

Mark

Reply to:

Follow-Ups:
- Re: EHLO/HELO [was blacklists]
  - From: Russell Coker <russell@coker.com.au>

References:
- blacklists
  - From: Marek Podmaka <marki@onee.sk>
- Re: blacklists
  - From: Craig Sanders <cas@taz.net.au>
- Re: blacklists
  - From: Michael Loftis <mloftis@modwest.com>

Prev by Date: gentoo-dev@lists.gentoo.org is a subscribers only list
Next by Date: Re: blacklists
Previous by thread: Re: blacklists
Next by thread: Re: EHLO/HELO [was blacklists]
Index(es):
- Date
- Thread