Spamscore based on helo

[Richard G]

I thought normally if a helo was not an FQDN hostname, the spamscore would get higher.
In Postfix you can even reject a mail if the helo is not an FQDN hostname.

Last couple of days we got spam of a user, which does not use FQDN hostnames, they are like this:

Received: from static.85-10-204-49.clients.your-server.de ([85.10.204.49] helo=Debian-60-squeeze-64-minimal

Further in the same header you can see:

Received: from [::1] (unknown [5.79.19.60]) by Debian-60-squeeze-64-minimal (Postfix)

So if I'm correct its originated on the rackspace server send via the your-server.de server to us (or the other way around). In both cases there is no fqdn helo.
It only get's a score of 1.9.

X-Spam-Status: No, score=1.9 required=5.5 tests=FSL_HELO_NON_FQDN_1,
HTML_MESSAGE,MIME_HTML_MOSTLY,MISSING_HEADERS,MPART_ALT_DIFF,T_REMOTE_IMAGE

Are there still valid company's out there sending mail with non-fqdn helo's or can we reject emails with non-fqdn helo's nowadays some how?
Or is it better not to do this?

 

[zEitEr]

Hello Richard,

Isn't SpamBlocker 4.1 rejecting connections from host with invalid HELO?

#EDIT#25:
acl_check_helo:
  # accept mail originating on this server unconditionally
  accept  hosts = @[] : @
  # deny if the HELO pretends to be this host
    deny message = Bad HELO - Host impersonating hostname [$sender_helo_name]
      condition = ${if or { \
                            {match{$sender_helo_name}{$smtp_active_hostname}} \
                            {eq{$sender_helo_name}{[$interface_address]}} \
                          } {true}{false} }
  # deny if the HELO is an IP address
    deny message = HELO is an IP address (See RFC2821 4.1.3)
         condition   = ${if isip{$sender_helo_name}}
  # deny if the HELO pretends to be one of the domains hosted on the server
    deny message = Bad HELO - Host impersonating domain name [$sender_helo_name]
        condition = ${if match_domain{$sender_helo_name}{+local_domains}{true}{false}}
        hosts = ! +relay_hosts
  accept

#EDIT#27:
  # 1st deny checks if it's a hostname or IPV4 address with dots or IPV6 address
    deny message = R1: HELO should be a FQDN or address literal (See RFC 2821 4.1.1.1)
         !authenticated = *
         condition   = ${if match{$sender_helo_name}{\N^\[\N}{no}{yes}}
         condition   = ${if match{$sender_helo_name}{\N\.\N}{no}{yes}}
  ## 2nd deny makes sure the hostname doesn't end with a dot (invalid)
  #  deny message = R2: HELO should be a FQDN or address literal (See RFC 2821 4.1.1.1)
  #       !authenticated = *
  #       condition   = ${if match{$sender_helo_name}{\N\.$\N}}
  # 3rd deny makes sure the hostname has no double-dots (invalid)
    deny message = R3: HELO should be a FQDN or address literal (See RFC 2821 4.1.1.1)
         !authenticated = *
         condition   = ${if match{$sender_helo_name}{\N\.\.\N}}
  ## 4th deny make sure the hostname doesn't end in .home (invalid domain)
  #  deny message = R4: HELO should be a FQDN or address literal (See RFC 2821 4.1.1.1)
  #       !authenticated = *
  #       condition  = ${if match{$sender_helo_name}{\N\.home$\N}}

p.s. that's from my copy of exim.conf which might differ from the original one.

 

[Richard G]

Hello zEiTeR.
Thank you. I'm not using spamblocker 4 because I don't want to make the other adjustments and extra files etc. and normally the almost standard exim.conf works just fine for me.

But I will have a look at this, maybe I can edit this into my current exim.conf and use it that way.
Thank you very much!

## 4th deny make sure the hostname doesn't end in .home (invalid domain)
# deny message = R4: HELO should be a FQDN or address literal (See RFC 2821 4.1.1.1)
# !authenticated = *
# condition = ${if match{$sender_helo_name}{\N\.home$\N}}

Cool... this could then also be adjusted (or copied) to the same but then for hostnames ending in .local I guess.

 

[zEitEr]

Yes, for sure, you can copy those lines to the right place of your copy. I've been using HELO checks long before SB 4.x with SB 2.

 

[Richard G]

Great, thank you!