[Gross] Patch to Greylist Bad Helo

Jeff Chan jff.chan at gmail.com
Wed Apr 30 14:49:14 EEST 2008


  For these few days, I went over the top and ran an experiement to
greylist senders with bad helo strings using grossd. I did this
because I found many obvious spams slipped through the RBLs undetected
(as trusted). Those were the ones with bad helo strings, either with
non-ascii characters, illegal domain name characters, non-fully
qualified hostnames, or with IP addresses whether bracketed or not.

  I managed to patch grossd to check the validity of the helo string
before checking at RBLs. So, it greylists senders even if they would
be trusted.

  To illustrate the results, I examined one of my servers' log (it's a
low volume server). About 58% sent valid helo, 42% didn't. Of those
with valid helo, 12% were trusted, 11% were matched. Of those with
invalid helo, only 0.0042% were matched. By this rate we could roughly
estimate, with this helo check, we have increased the overall grossd
hit performance by 5%.

  The code handled some cases with exception to RFCs. First, the code
allows underscores, which is not uncommon for misconfigured hostnames.
Second, even bracketed IP addresses that are RFC compliant, will get

  I attach the diff against 1.0rc4 and hope that someone will find it
useful. No warranty of course :-)

  P.S. The code short circuited the RBL checks, so I don't think it
will honor any block_threshold, which I don't use BTW. But the
advantage is it's faster and save processing power and bandwidth. That
said, I think it should be relatively easy to overcome this.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: gross-helo.diff
Type: application/octet-stream
Size: 1440 bytes
Desc: not available
URL: <http://lists.utu.fi/pipermail/gross/attachments/20080430/3ddb6757/attachment.obj>

More information about the Gross mailing list