Double Irony! (was Re: [linux-elitists] ruben's stupid filter)

Dan Wilder dan@ssc.com
Mon Mar 25 14:13:58 PST 2002


I lied.  

One more small contribution to the thread, I promise I'll shaddap.

Disclaimer: after one disaster, I have no plan to try declining
email based on verifying HELO ever again.  Everything I say here is 
hypothetical.

On Mon, Mar 25, 2002 at 01:15:44PM -0800, Marc MERLIN wrote:
> On Sun, Mar 24, 2002 at 11:04:01PM -0800, Dan Wilder wrote:
> > > I don't  see which  RFC forbids one,  and even  if there were  to be  one, I
> > > wouldn't care and do SMTP callbacks anyway.
> > 
> > Forgive me, I wasn't explicit.  Verifying HELO host.
> > RFC1123 says "MUST NOT" about about refusing of mail after 
> > HELO host fails to verify.  More's the pity.
>  
> Ah, HELO verifying.
> I'm against it because if I send mail from my laptop or my workstation
> behind a NAT firewall, you'll have a HELO that doesn't resolve back to the
> IP address that you got the connection from (the NAT device).
> In the case of work, my HELO would even say magic.hdqt.vasoftware.com, which
> will not resolve from the outside (and it's not supposed to)
> The envelope and headers do say vasoftware.com, though, as they should.
> 
> Of course, I could change the helo, but you lose the information of which
> hostname the mail came from inside our net.

That's what relay hosts are for.

At home I relay from behind my ISPs DHCP router through my ISP's 
relay host.  Here at the office, we use a similar arrangement.  You 
should be able to see from the headers that this message originated 
at chinacat.ssc.com, though there's no such host known outside the 
firewall.   mail.ssc.com (well actually dilbert.ssc.com, it isn't sure 
who it really is, poor thing) is the relay host, and it knows who chinacat 
is.  In turn, the outside thinks it knows who mail.ssc.com is.  Or close 
enough for most of the outgoing mail to get through.

Each hop is present in the Received headers, all without ever presenting
an unknown hostname to any other host.

> > > Do you mean forward and reverse on  the calling host? Yeah, I don't do that,
> > > because it probably catches as much legitimate mail as it catches spam.
> > 
> > Only forward.  Reverse is a lost cause.  Too many ISPs refuse their
> > customers a valid reverse record. 
> 
> I suppose you could, yeah. I'm not sure doing this catches that much spam
> though.

It sure stopped a massive amount of spam when I tried it.  Unfortunately 
it also caught several pieces of legitimate mail in a very short time.
Sorry, I did not save the statistics.  Was too busy writing apologies.

-- 
-----------------------------------------------------------------
 Dan Wilder <dan@ssc.com>   Technical Manager & Editor
 SSC, Inc. P.O. Box 55549   Phone:  206-782-8808
 Seattle, WA  98155-0549    URL http://embedded.linuxjournal.com/
-----------------------------------------------------------------



More information about the linux-elitists mailing list