[Greylist-users] HELO

Eric S ejs at bfd.com
Tue Jul 22 16:47:45 PDT 2003


On Tue, 22 Jul 2003, Brian Grossman wrote:

> --===============03853745537704345==
>
>
> > > > nor a single part that matches the leftmost part of the rDNS.
> > >
> > > Be careful with that one.  It's fairly common for hosters to consolidate
> > > outgoing mail.  When I tried it several years ago for example, I stopped
> > > receiving email from compaq (RIP).
> >
> > Could you explain that in a little more detail, not sure I follow what
> > you're saying.
> >
> > My HELO rules are as follows (first match applies).
>
> Sorry, I was thinking of rdns on the connecting ip vs the domain.

Quite understandable, I think everyone has wanted to block on HELO != rDNS
at least once :-)

> I'm just hoping for wide deployment of reverse MX

Are you on the spam-tools mailing list?  The DHVP that I mentioned as
getting talked up a lot last week is a HELO validator which may satisfy
your desires.  Because it leverages existing MX records, an estimated 75%
of the legitimate email out there is already DHVP-compliant, which should
speed acceptance and adoption of it, should it reach RFC status.

The idea is to use the HELO to find an MX record that points to that
machine (actually the first pass uses a TXT record, but I'll stick to MX
since the specially formatted TXT records don't exist yet).

For example:  Of the mail servers that I admin at work, one HELO's as
bfd.com.  The MX for bfd.com points directly to that machine, so it's
fully DHVP compliant.  We've got one machine that generates reports and is
supposed to smarthost out through the first machine (but I just noticed
that it doesn't).  It hellos with alexandria.bfd.com, which also has an
mx, but the MX points to the outside machine, so this one is broken by
DHVP, so I'd either have to smarthost it, or add a TXT record for it.

This way, unless someone points a DNS record at the machine, you won't
accept email from it, and if it does have a DNS record pointing to it and
someone sends spam through it, that person can't claim ignorance, since
they designated the machine as a mail exchanger.  Does that make sense?
Does it achieve the effect you want?

So far, the one thing that DHVP has going for it that none of the other
proposals that I'm aware of does is that the 75% of email that is already
DHVP complaint is the smaller sites.  Getting the larger sites to comply
with something like this, which requires no modifications of MTA or DNS
server, just a few extra DNS records, while it may not be easy, is going
to be much easier than getting all the millions of itty bitty mail servers
to conform to some new protocol.  Leveraging the existing MX records (as
a fallback if the TXT record doesn't exist) is what achieves this.  The
only places that aren't compliant are sites with outgoing mail servers
that don't have an MX pointed to it (ie most outgoing-only mail servers,
such as Yahoo and AOL).



More information about the Greylist-users mailing list