RE: connection filtering on HELO/EHLO

• From: "John Tolmachoff \(Lists\)" <johnlist@xxxxxxxxxxxxxxxxxxx>
• To: "'[ExchangeList]'" <exchangelist@xxxxxxxxxxxxx>
• Date: Fri, 17 Dec 2004 07:56:48 -0800

No, there is no such thing available "built-in" to Exchange.

Further, trying to block/disconnect based on the HELO/EHLO string during the
hand shake will be problematic at best. While it will be effective for some,
it will also suffer from a lot of false positives. I see a lot of legit
e-mail coming from servers with either a misconfigured FQDN, an obscure
FQDN, a purposeful obscured FQDN, misconfigured or missing DNS entries
and/or missing or incorrect PTR records. All of these will cause false
positives on a test of the HELO/EHLO string. 

Further, if there is a high volume of incoming involved, that can really
slow things down depending on how it is done.

John Tolmachoff
Engineer/Consultant/Owner
eServices For You

> -----Original Message-----
> From: Dan HINCKLEY [mailto:dah@xxxxxxxxxxx]
> Sent: Friday, December 17, 2004 12:27 AM
> To: [ExchangeList]
> Subject: [exchangelist] RE: connection filtering on HELO/EHLO
> 
> http://www.MSExchange.org/
> 
> I'm getting a bunch of spam, some w/viruses, spoofing a domain
> (mail.domain.tld) in the HELO. I was trying to see if there is a way built
> into ES 2003 to use the FQDN (spoofed) rather than an IP (since these guys
> change their IPs) to drop the connection.
> 
> At 07:46 12/17/2004, you wrote:
> >http://www.MSExchange.org/
> >
> >What kind of filtering?
> >
> >John Tolmachoff
> >Engineer/Consultant/Owner
> >eServices For You
> >
> > > -----Original Message-----
> > > From: Dan HINCKLEY [mailto:dah@xxxxxxxxxxx]
> > > Sent: Thursday, December 16, 2004 12:32 AM
> > > To: [ExchangeList]
> > > Subject: [exchangelist] connection filtering on HELO/EHLO
> > >
> > > http://www.MSExchange.org/
> > >
> > > Have looked in the archives w/o luck. Can anyone point me to a method
of
> > > doing filtering in ES 2003 at the HELO/EHLO command?
> > >
> > >
> 
> 
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
> Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
> Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> World of Windows Networking: http://www.windowsnetworking.com
> Leading Network Software Directory: http://www.serverfiles.com
> No.1 ISA Server Resource Site: http://www.isaserver.org
> Windows Security Resource Site: http://www.windowsecurity.com/
> Network Security Library: http://www.secinf.net/
> Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this MSEXchange.org Discussion List as:
> johnlist@xxxxxxxxxxxxxxxxxxx
> To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
> Report abuse to listadmin@xxxxxxxxxxxxxx

Other related posts:

• » connection filtering on HELO/EHLO
• » Re: connection filtering on HELO/EHLO
• » RE: connection filtering on HELO/EHLO
• » RE: connection filtering on HELO/EHLO
• » RE: connection filtering on HELO/EHLO
• » RE: connection filtering on HELO/EHLO
• » RE: connection filtering on HELO/EHLO
• » RE: connection filtering on HELO/EHLO
• » RE: connection filtering on HELO/EHLO
• » RE: connection filtering on HELO/EHLO
• » RE: connection filtering on HELO/EHLO

1. Home
2. exchangelist
3. Archive
4. 12-2004

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---