another spam filter rendered ineffective

Date: 2006-05-30 21:47:00
Tags: spam

A while ago I turned up as much spam and junk mail protection stuff as I could find in my Postfix configuration. Specifically, I had the following options set:

smtpd_helo_restrictions =
    reject_invalid_hostname
    reject_non_fqdn_hostname
    reject_unknown_hostname

Last week, Amy was contacted by somebody who had tried to send her an email but the email was rejected by my mail server. We hadn't yet got back in touch with him to try to find out what the problem was. I started to pay more attention to my spam rejection logs just in case something was amiss. Today, I noticed that my mail server rejected some sort of newsletter from Google. Upon further investigation, it seems that the Google server that sent the mail was using a HELO name that wasn't resolvable. This condition is checked by Postfix on the reject_unknown_hostname restriction.

I decided that if even Google can't always get it right, then I should probably stop rejecting email for an unresolvable HELO name. So I turned off the three restrictions listed above.

Later today, we got a phone call from the company here in New Zealand who is handling the import of our household goods. Apparently, they had tried to email me earlier but the mail had been bounced back, rejected. I looked through the mail server log and found that they, too, had sent from a server with a misconfigured HELO name (it even ended in .local). The mail had come through on a retry after I had removed the HELO name restriction.

That pretty much does it for that filter. If companies as small as a local goods importer and as big as Google can't get it exactly right, I run the risk of rejecting all kinds of legitimate incoming email. As much as I dislike getting spam, I dislike losing real email even more.

decibel45 keeps telling me I should be using one of those scoring filters that doesn't outright block a message for just one SMTP transactional failure. It might take a while for me to get motivated enough to mess with my Postfix configuration again.

Comment

ivo : Done!
2006-05-30T14:34:52Z

            

            smtpd_helo_restrictions =
            

                permit_mynetworks
            

                reject_invalid_hostname
            

                reject_non_fqdn_hostname
            

            #    reject_unknown_hostname
            

                check_helo_access hash:/etc/postfix/helo_access
            

                permit
            

            
            

            "main.cf" 674 lines, 26340 characters written
            

            ivo@junction: /etc/postfix # postfix reload
            

            postfix/postfix-script: refreshing the Postfix mail system
            

            ivo@junction: /etc/postfix #

taral
2006-05-30T18:20:57Z

I run with those -- never had a problem...

Hell, I include the rfc-ignorant.org DNSBLs...

ghewgill
2006-05-31T08:33:41Z

Yeah, I thought I had never had a problem either. Trouble is, you can't ever see the problem! I've thought about using rfc-ignorant but I don't like the risk that it will exclude well-meaning but inept organisations that I (or anybody else using my mail server) will need to communicate with.

taral
2006-05-31T18:28:05Z

I can understand that perspective. I long ago decided that if someone cannot reach me by email due to ineptitude, (a) they will get the it fixed, (b) they will find another way to contact me, or (c) it wasn't important enough anyway.

I want to strongly encourage people to fix these things, and this is the best I can do.

decibel45
2006-05-30T19:12:15Z

I just run spamassassin. Only unusual thing is that I have a 'probablespam' folder that gets anything scoring >= 3 and < 5. I've got stuff setup in mutt that allows me to easily train spamassassin with what makes it into that folder, 95% of which is spam.

No greylisting, no nothing else. I get about 1-2 spams a day outside of 'probablespam', and even that folder usually gets less than 5 emails a day.

Greg Hewgill <greg@hewgill.com>