![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
fanfI wanted to compile some statistics on the correctness of SMTP clients HELO domains. This is exclusively for emal coming into our MXs, so doesn't include MUAs which tend to be very broken in this respect.
Exim in our configuration checks that the HELO domain and the reverse DNS and the forward DNS all match. However I'm also interested in whether a forward lookup on the HELO domain matches the client's IP address, and Exim doesn't record this in the logs. A quick bit of hackery with adns, and a few minutes of 10,000 concurrent DNS queries later, I have my results:
Total rejections: 123921
Failed HELO checks: 101417
Forward DNS correct: 2128
Total accepted: 31754
Failed HELO checks: 13349
Forward DNS correct: 3196
So, today this machine has rejected 80% of incoming messages. According to
SpamAssassin about 15% of the messages we accept are spam so you might
want to adjust the numbers on that basis.
Of the rejected messages, 80% have a completely bad HELO domain, and 2%
have a HELO domain that's correct only in the forward direction.
Of the accepted messages, 32% have a completely bad HELO domain, and 10%
have a HELO domain that's correct only in the forward direction.
I really like adns :-)
Exim in our configuration checks that the HELO domain and the reverse DNS and the forward DNS all match. However I'm also interested in whether a forward lookup on the HELO domain matches the client's IP address, and Exim doesn't record this in the logs. A quick bit of hackery with adns, and a few minutes of 10,000 concurrent DNS queries later, I have my results:
Total rejections: 123921
Failed HELO checks: 101417
Forward DNS correct: 2128
Total accepted: 31754
Failed HELO checks: 13349
Forward DNS correct: 3196
So, today this machine has rejected 80% of incoming messages. According to
SpamAssassin about 15% of the messages we accept are spam so you might
want to adjust the numbers on that basis.
Of the rejected messages, 80% have a completely bad HELO domain, and 2%
have a HELO domain that's correct only in the forward direction.
Of the accepted messages, 32% have a completely bad HELO domain, and 10%
have a HELO domain that's correct only in the forward direction.
I really like adns :-)
![[identity profile]](https://www.dreamwidth.org/img/silk/identity/openid.png){kind=small}
no subject
Date: 2004-12-01 15:05 (UTC)(Their DNS doesn't resolve)
no subject
Date: 2004-12-02 03:57 (UTC)We've had one complaint this year from someone who tripped over our anti-spam HELO checks. We reject anything that says HELO bare.ip.addr.ess - domain literals must be in square brackets. They had configured their mail server to say HELO 192.168.X.Y so I told them to type the hostname into their configuration instead of the IP address.
Dynamic DNS Users?
Date: 2005-01-11 16:56 (UTC)However people doing dynamic DNS stuff *could* have perfectly valid DNS at the time they connect to you, but at a later time the DNS points to a different IP address.
No idea how common this is going to be in practice - I suspect not very.
Re: Dynamic DNS Users?
Date: 2005-01-11 17:11 (UTC)