F-prot update
Rick Cooper
rcooper at DWFORD.COM
Sat Mar 6 13:47:45 GMT 2004
> -----Original Message-----
> From: MailScanner mailing list
> [mailto:MAILSCANNER at JISCMAIL.AC.UK]On
> Behalf Of Dan Hollis
> Sent: Saturday, March 06, 2004 7:54 AM
> To: MAILSCANNER at JISCMAIL.AC.UK
> Subject: Re: F-prot update
>
>
> On Sat, 6 Mar 2004, Rick Cooper wrote:
> > virus in my logs what I saw a huge increase in helo rejects
> > because the host name was not FQDN
>
> such rejection are RFC violation.
>
> > ( a lot of names like SAM, or
> > Bill, or SERVER), or no Message-Id, etc. The MTA can
> stop a lot
> > of both spam and viruses if you just work on your
> access lists a
>
> your MTA is non RFC compliant in this case.
>
I realize rfcs state that you should not reject based on bogus
(e)helo arguments, however they also state if you do not have a
meaningful (fqdn) name you should use and address literal. I
accept address literals I do not accept ehlo bill. I also have a
program that uses exim's run expansion that will automatically
add (for a dynamically defined time period) the connecting host
to our iptables firewall rules. This of course means that host
cannot send to postmaster, or from <> and that also breaks rfcs.
As I said earlier I feel for ISPs because neither of these
situations would be correct for them. Our corporate servers make
every effort to be outbound compliant but inbound is based on our
policies and when it comes to inbound connections in many cases I
read SHOULD as MUST. When I add a host to the firewall because
they (e)helo'd as a machine within one of our domains and they
are not or they used our mail server's address as their ip
literal or they have just attempted to deliver a virus I am
breaking rfcs for sure but no MTA that was used for genuine mail
purposes would do these things (when I add hosts sending a virus
to the firewall I exclude bounces) but I have not, as of yet,
found a case where I was rejecting a valid mail. For instance
before adding the deny for FQDN I used a warn so I could look at
what was being delivered by hosts that did not use FQDN or ip
literal and the vast majority ended up dropped at the virus
scanning stage, and what was left ended up spam. Outbound I
follow the rfcs and inbound I expect the same, even if it means
breaking an rfc that ignorantly requires you accept a mail
connection from a host that is either badly configured or out
right non compliant.
Heck, how many people reject mail if the host is listed in a DUL?
The ip literal portion of rfc2821 specifically states this
applies to hosts with dynamic ip addresses or address without PTR
records. That would implicitly imply that mail from hosts with
dynamic ip addresses are certainly allowed and it is local policy
that dictates they are dropped, which is fine by me even though I
don't use DUL blocking my self.
BTW: when I do reject based on something like (e)helo the reject
message states the reason so the admin is aware of why and it can
be corrected.
Rick
More information about the MailScanner
mailing list