CJ Fearnley via plug on 26 Aug 2021 20:08:39 -0700 |
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
Re: [PLUG] my bash script to report rogue Microsoft 365 servers |
Rich, It is true that forward/reverse DNS not matching is not a violation of the RFCs, but it has become a best practice for operating a mail server. Many e-mail platforms either reject or score penalize bad DNS. The spam delivered would be significantly greater if we don't force spammers to adhere to higher standards than the RFCs. Here are two sources documenting the best practice for reverse DNS matching on e-mail servers: https://www.linuxmagic.com/best_practices/check_ip_reverse_dns.html https://www.vircom.com/blog/top-10-tips-to-secure-your-email-server/ Until Microsoft 365 started deploying dozens, hundreds, thousands of rogue systems, I had big successes blocking spam by rejecting mail from systems with bad reverse DNS. Lately, I've had to relax my rules and I'm getting inundated with spam. Microsoft needs to get with the program! Here are my logs showing EHLO and For/Rev DNS for one of the rogue 365 systems: 2021-08-25 10:30:07 H=(EUR03-AM5-obe.outbound.protection.outlook.com) [40.107.3.125] Warning: HELO verification failed 2021-08-25 10:30:11 H=(EUR03-AM5-obe.outbound.protection.outlook.com) [40.107.3.125] Warning: Forward/Reverse DNS mismatch EUR03-AM5-obe.outbound.protection.outlook.com and the reverse DNS for 40.107.3.125 (mail-eopbgr30125.outbound.protection.outlook.com) are SERVFAIL DNS errors. That is a rogue server and I don't want its spam! Because too many providers do not configure their systems to pass Exim's HELO verification (http://www.exim.org/exim-html-3.20/doc/html/spec_45.html), I use a scoring system to only slightly penalize HELO verification failures. If HELO verification were to become practiced on a widespread basis, I would be able to block a lot more spam very efficiently (before SMTP DATA!!!!). I pay for bandwidth, I don't want to download your spam run it through a CPU intensive anti-virus and spamassassin processing when I could have rejected the e-mail before SMTP DATA!!! It is a waste of my money and my server capacity and it contributes to global warming. If I had more bandwidth, I would be lobbying for establishing HELO verification as a best practice for e-mail servers. But we have to be realistic and only penalize such servers a little bit so that we don't block too much legitimate mail. On Thu, Aug 26, 2021 at 08:27:15PM -0400, Rich Freeman wrote: > On Thu, Aug 26, 2021 at 7:26 PM CJ Fearnley via plug > <plug@lists.phillylinux.org> wrote: > > > > Today I wrote a script to report to Microsoft all the rogue Microsoft > > 365 servers that tried to send me e-mail yesterday. After a few days of > > testing, I will add it to my crontab. > > > > Maybe JP will find an idea here for his book. > > > > This is a David versus Goliath effort: I need all the help I can get. > > > > So, I welcome any advice to improve the script or to further shame > > Microsoft for their despicable 365 e-mail server management practices. > > What exactly are they sending in HELO? > > Your tweets are a bit vague, but it sounds like you're concerned that > HELO, forward DNS, and reverse DNS don't match. > > Per the RFC, there is no requirement that forward/reverse DNS match. > > Per the RFC, the recommendation in this case is to transmit the IP > address in the HELO, optionally followed by some identifying text > (which can basically be anything). It isn't clear from your tweets > whether they are doing that. > > https://datatracker.ietf.org/doc/html/rfc2821#page-29 > > In situations in which the > SMTP client system does not have a meaningful domain name (e.g., when > its address is dynamically allocated and no reverse mapping record is > available), the client SHOULD send an address literal (see section > 4.1.3), optionally followed by information that will help to identify > the client system. > > -- > Rich -- CJ Fearnley | LinuxForce Inc. cjf@LinuxForce.net | Hosting and Linux Consulting https://www.LinuxForce.net | https://blog.LinuxForce.net ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug