Mailing List CGatePro@mail.stalker.com Message #106115
From: Bill Cole <cgp-2015@billmail.scconsult.com>
Subject: Re: HELO controls in CommuniGate
Date: Thu, 07 Jul 2016 18:22:35 -0400
To: CommuniGate Pro Discussions <CGatePro@mail.stalker.com>
X-Mailer: MailMate (1.9.4r5234)
On 7 Jul 2016, at 11:34, Jeff Wark wrote:

Just read an article that outlined some patterns that were detectable in spambot HELO/EHLO commands.


As an example, looking at my logs show dozens of IP addresses connecting with 'EHLO ylmf-pc'.

Those are Cutwail (a.k.a. Pushdo) bots and they should be reliably stopped by the CGP feature of delaying the initial SMTP banner: Settings->Mail->SMTP->Receiving:Limits:"Delay Prompt for" The way CGP does this (a simple delay of the banner at connect) makes it worth using delays of up to 20 seconds, but 5 seconds should be adequate to trip up Cutwail. Some people swear by longer delays to get bots who wait for a banner to give up on waiting, but I don't think that's worthwhile.

Does anyone know of a method that allows for restricting the HELO strings in CommuniGate?  

Only "Delay Prompt" (which drops connections that try to talk before the banner is sent, i.e. by sending a HELO or EHLO) and the "Verify HELO" option above it on the same page, which checks whether the HELO name resolves to the connecting IP and records the result in the Received header, but unfortunately does nothing more. In ancient times, CGP had a lesser sibling called SIMS that would run the HELO name through the router and eject anything routed to error, but it appears that functionality is not included in CGP.

It appears that Postfix has something called 'HELO controls'. This would be an interesting feature.

That's not the formal name of anything in Postfix, but it can optionally do any or all of these:

1. Require a HELO or EHLO command. (needed for anything following...)
2. Require the name to be formally valid (i.e. no illegal characters)
3. Require the name to be fully-qualified
4. Require the name to be resolvable with an A or MX record in DNS
5. Check the name against a DNSBL designed for domains names (a.k.a. RHSBL)
6. Look up the name in an access map
7. If the name has one or more A records, look up the resulting IP in an access map
8. If the name has one or more MX records, look up the resulting name in an access map
9. Look up the names of the authoritative nameservers for the HELO name in an access map

Postfix has similar collections of controls for every attribute of the SMTP transaction. It's the MTA equivalent of a 50k-block Lego set. If you want sophisticated anti-spam measures, putting Postfix in front of CGP is not an unreasonable choice. I use Postfix+Dovecot for my own domains and for anywhere else where CGP would be overkill.

(I was going to say Postfix is the "Erector Set of MTAs" but that analogy is likely lost on anyone except Americans of my advanced age...)

(Sendmail is the "tub of resin and textbook on the state of 3D printing technology, circa 2010" of MTAs...)

I'm thinking that there isn't because I am unaware of any options providing control at that point of the SMTP connection.  The only thing I can think of is watching the logs and generating a list for blacklisting/denying IP addresses.

Turning on "Delay Prompt" for 15s is a much easier first step than CGP log parsing. It should catch the vast majority of spambots that use regular patterns in their HELO names.
Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster