?

Log in

No account? Create an account

fanf

adns

« previous entry | next entry »
1st Dec 2004 | 21:59

I wanted to compile some statistics on the correctness of SMTP clients HELO domains. This is exclusively for emal coming into our MXs, so doesn't include MUAs which tend to be very broken in this respect.

Exim in our configuration checks that the HELO domain and the reverse DNS and the forward DNS all match. However I'm also interested in whether a forward lookup on the HELO domain matches the client's IP address, and Exim doesn't record this in the logs. A quick bit of hackery with adns, and a few minutes of 10,000 concurrent DNS queries later, I have my results:

Total rejections: 123921
Failed HELO checks: 101417
Forward DNS correct: 2128

Total accepted: 31754
Failed HELO checks: 13349
Forward DNS correct: 3196

So, today this machine has rejected 80% of incoming messages. According to
SpamAssassin about 15% of the messages we accept are spam so you might
want to adjust the numbers on that basis.

Of the rejected messages, 80% have a completely bad HELO domain, and 2%
have a HELO domain that's correct only in the forward direction.

Of the accepted messages, 32% have a completely bad HELO domain, and 10%
have a HELO domain that's correct only in the forward direction.

I really like adns :-)

| Leave a comment | Share

Comments {4}

Keith Lard

from: keithlard
date: 1st Dec 2004 15:05 (UTC)

Yeah but dude, your anally retentive Exim configurations are dropping mail from all my spammy customers and I'm having to pore over 300,000 lines an hour of sendmail debug output to figure out why their spams haven't been sent :D

(Their DNS doesn't resolve)

Reply | Thread

Tony Finch

from: fanf
date: 2nd Dec 2004 03:57 (UTC)

We aren't rejecting because of DNS configuration errors: as the numbers above show that would cause rather serious damage!

We've had one complaint this year from someone who tripped over our anti-spam HELO checks. We reject anything that says HELO bare.ip.addr.ess - domain literals must be in square brackets. They had configured their mail server to say HELO 192.168.X.Y so I told them to type the hostname into their configuration instead of the IP address.

Reply | Parent | Thread

Dynamic DNS Users?

from: anonymous
date: 11th Jan 2005 16:56 (UTC)

I presume you are re-running these queries based on your exim logs.

However people doing dynamic DNS stuff *could* have perfectly valid DNS at the time they connect to you, but at a later time the DNS points to a different IP address.

No idea how common this is going to be in practice - I suspect not very.

Reply | Thread

Tony Finch

Re: Dynamic DNS Users?

from: fanf
date: 11th Jan 2005 17:11 (UTC)

Yes, I wouldn't expect it to be common enough to affect the numbers significantly. I was mainly interested in a ballpark figure that I could use to better inform the work on CSA.

Reply | Parent | Thread