Re: [PLUG] my bash script to report rogue Microsoft 365 servers

CJ Fearnley via plug on 26 Aug 2021 20:08:39 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] my bash script to report rogue Microsoft 365 servers

From: CJ Fearnley via plug <plug@lists.phillylinux.org>
To: Rich Freeman <r-plug@thefreemanclan.net>
Subject: Re: [PLUG] my bash script to report rogue Microsoft 365 servers
Date: Thu, 26 Aug 2021 23:08:30 -0400
Cc: PLUG List <plug@lists.phillylinux.org>
Organization: LinuxForce Inc.
Reply-to: CJ Fearnley <cjf@linuxforce.net>
Sender: "plug" <plug-bounces@lists.phillylinux.org>
User-agent: NeoMutt/20170113 (1.7.2)

Rich,

It is true that forward/reverse DNS not matching is not a violation
of the RFCs, but it has become a best practice for operating a mail
server. Many e-mail platforms either reject or score penalize bad DNS.

The spam delivered would be significantly greater if we don't force
spammers to adhere to higher standards than the RFCs.

Here are two sources documenting the best practice for reverse DNS
matching on e-mail servers:
https://www.linuxmagic.com/best_practices/check_ip_reverse_dns.html
https://www.vircom.com/blog/top-10-tips-to-secure-your-email-server/

Until Microsoft 365 started deploying dozens, hundreds, thousands of
rogue systems, I had big successes blocking spam by rejecting mail from
systems with bad reverse DNS. Lately, I've had to relax my rules and
I'm getting inundated with spam. Microsoft needs to get with the program!

Here are my logs showing EHLO and For/Rev DNS for one of the rogue 365
systems:
2021-08-25 10:30:07 H=(EUR03-AM5-obe.outbound.protection.outlook.com)
[40.107.3.125] Warning: HELO verification failed

2021-08-25 10:30:11 H=(EUR03-AM5-obe.outbound.protection.outlook.com)
[40.107.3.125] Warning: Forward/Reverse DNS mismatch

EUR03-AM5-obe.outbound.protection.outlook.com and the reverse DNS for
40.107.3.125 (mail-eopbgr30125.outbound.protection.outlook.com) are
SERVFAIL DNS errors. That is a rogue server and I don't want its spam!

Because too many providers do not configure
their systems to pass Exim's HELO verification
(http://www.exim.org/exim-html-3.20/doc/html/spec_45.html), I use a
scoring system to only slightly penalize HELO verification failures.

If HELO verification were to become practiced on a widespread basis,
I would be able to block a lot more spam very efficiently (before SMTP
DATA!!!!). I pay for bandwidth, I don't want to download your spam run
it through a CPU intensive anti-virus and spamassassin processing when
I could have rejected the e-mail before SMTP DATA!!! It is a waste of
my money and my server capacity and it contributes to global warming.

If I had more bandwidth, I would be lobbying for establishing HELO
verification as a best practice for e-mail servers. But we have to be
realistic and only penalize such servers a little bit so that we don't
block too much legitimate mail.

On Thu, Aug 26, 2021 at 08:27:15PM -0400, Rich Freeman wrote:
> On Thu, Aug 26, 2021 at 7:26 PM CJ Fearnley via plug
> <plug@lists.phillylinux.org> wrote:
> >
> > Today I wrote a script to report to Microsoft all the rogue Microsoft
> > 365 servers that tried to send me e-mail yesterday. After a few days of
> > testing, I will add it to my crontab.
> >
> > Maybe JP will find an idea here for his book.
> >
> > This is a David versus Goliath effort: I need all the help I can get.
> >
> > So, I welcome any advice to improve the script or to further shame
> > Microsoft for their despicable 365 e-mail server management practices.
> 
> What exactly are they sending in HELO?
> 
> Your tweets are a bit vague, but it sounds like you're concerned that
> HELO, forward DNS, and reverse DNS don't match.
> 
> Per the RFC, there is no requirement that forward/reverse DNS match.
> 
> Per the RFC, the recommendation in this case is to transmit the IP
> address in the HELO, optionally followed by some identifying text
> (which can basically be anything).  It isn't clear from your tweets
> whether they are doing that.
> 
> https://datatracker.ietf.org/doc/html/rfc2821#page-29
> 
>    In situations in which the
>    SMTP client system does not have a meaningful domain name (e.g., when
>    its address is dynamically allocated and no reverse mapping record is
>    available), the client SHOULD send an address literal (see section
>    4.1.3), optionally followed by information that will help to identify
>    the client system.
> 
> -- 
> Rich

-- 
CJ Fearnley                 |   LinuxForce Inc.
cjf@LinuxForce.net          |   Hosting and Linux Consulting
https://www.LinuxForce.net  |   https://blog.LinuxForce.net
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug

References:
- [PLUG] my bash script to report rogue Microsoft 365 servers
  - From: CJ Fearnley via plug <plug@lists.phillylinux.org>
- Re: [PLUG] my bash script to report rogue Microsoft 365 servers
  - From: Rich Freeman via plug <plug@lists.phillylinux.org>

Prev by Date: Re: [PLUG] my bash script to report rogue Microsoft 365 servers
Next by Date: Re: [PLUG] my bash script to report rogue Microsoft 365 servers
Previous by thread: Re: [PLUG] my bash script to report rogue Microsoft 365 servers
Next by thread: [PLUG] Speakers needed
Index(es):
- Date
- Thread