News flash: spammers lie!

This week I figured out something that everybody else who runs a mailserver already knows: spammers (and spamware) lies.

The first part of an SMTP handshake is where the client sends the HELO string, and it's identifying itself to me. Normally they use the fully-qualified domain name of the sending server, and if I send mail to you, my server says

HELO linux.unixwiz.net

Some really finicky sites requires that the the HELO name match the inverse DNS name, but I've never been that fussy. But while reviewing my logfiles, I noticed that a lot of sites were claiming to be me:

HELO 64.170.162.98

That's my mailserver's own IP address, and I can't think of any reason why a legitimate outside mailserver would claim to be me. This is a hallmark of spam, so I did some more digging. I found that in the thousands of messages I've received over the last couple of months, more than 10% were these kinds of forgeries - I was shocked. Reviewing the logs in more detail showed that every single one was spam. 100.00%. Amazing.

Thankfully, Postfix makes it easy to tell these losers to get lost. In the main.cf file, I added a new rule:

smtpd_helo_required = yes

smtpd_helo_restrictions =
        permit_mynetworks,
        check_helo_access hash:/etc/postfix/helo_access

And created a simple /etc/postfix/helo_access file:

64.170.162.98      REJECT Get lost - you're lying about who you are
linux.unixwiz.net  REJECT Get lost - you're lying about who you are
smtp.unixwiz.net   REJECT Get lost - you're lying about who you are

After rebuilding the map file (which creates helo_access.db) and reloading Postfix, my mailserver is now happily slamming the front door on these forgeries.

Update - I've expanded on this topic: Unixwiz.net Tech Tip: Blocking spammers with Postfix HELO

Posted by Steve at September 03, 2003 10:54 PM | TrackBack