rotten news relay - comp.mail.sendmail - Re: Filtering HELO / EHLO names before MAIL FROM

Subject: Filtering HELO / EHLO names before MAIL FROM
From: Grant Taylor
Newsgroups: comp.mail.sendmail
Organization: TNet Consulting
Date: Sat, 4 Jan 2025 01:07 UTC

Path: news.eternal-september.org!eternal-september.org!feeder3.eternal-september.org!tncsrv06.tnetconsulting.net!tncsrv09.home.tnetconsulting.net!.POSTED.omega.home.tnetconsulting.net!not-for-mail
From: gtaylor@tnetconsulting.net (Grant Taylor)
Newsgroups: comp.mail.sendmail
Subject: Filtering HELO / EHLO names before MAIL FROM
Date: Fri, 3 Jan 2025 19:07:18 -0600
Organization: TNet Consulting
Message-ID: <vla1k6$o3g$1@tncsrv09.home.tnetconsulting.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Injection-Date: Sat, 4 Jan 2025 01:07:18 -0000 (UTC)
Injection-Info: tncsrv09.home.tnetconsulting.net; posting-host="omega.home.tnetconsulting.net:198.18.1.11";
logging-data="24688"; mail-complaints-to="newsmaster@tnetconsulting.net"
User-Agent: Mozilla Thunderbird
Content-Language: en-US

View all headers

Hi,

Is there a method that I can use to filter & reject (return a 5xy error)
for bad HELO / EHLO names at HELO / EHLO time?

I see some options (FEATURE(`block_bad_helo')) but they seem to apply
later in the SMTP transaction.

I'm seeing what I suspect is bots looking to do credential stuffing, but
I'm not offering authentication on this system, so they are bailing
before usual protections would kick in.

Initial searches haven't turned up much that happens before MAIL FROM.

--
Grant. . . .

Subject: Re: Filtering HELO / EHLO names before MAIL FROM
From: Claus Aßmann
Newsgroups: comp.mail.sendmail
Organization: MGT Consulting
Date: Sat, 4 Jan 2025 05:43 UTC
References: 1

Path: news.eternal-september.org!eternal-september.org!feeder3.eternal-september.org!news.quux.org!weretis.net!feeder9.news.weretis.net!news.misty.com!.POSTED.veps.esmtp.org!not-for-mail
From: INVALID_NO_CC_REMOVE_IF_YOU_DO_NOT_POST_ml+sendmail(-no-copies-please)@esmtp.org (Claus Aßmann)
Newsgroups: comp.mail.sendmail
Subject: Re: Filtering HELO / EHLO names before MAIL FROM
Date: Sat, 4 Jan 2025 00:43:53 -0500 (EST)
Organization: MGT Consulting
Sender: <ml+sendmail(-no-copies-please)@esmtp.org>
Message-ID: <vlahqp$p22$1@news.misty.com>
References: <vla1k6$o3g$1@tncsrv09.home.tnetconsulting.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
Injection-Date: Sat, 4 Jan 2025 05:43:53 -0000 (UTC)
Injection-Info: news.misty.com; posting-host="veps.esmtp.org:155.138.203.148";
logging-data="25666"; mail-complaints-to="abuse@misty.com"
Mail-Copies-To: never
X-Newsreader: trn 4.0-test77 (Sep 1, 2010)
Originator: ca@x2.esmtp.org (Claus Assmann)

View all headers

Grant Taylor wrote:

> Is there a method that I can use to filter & reject (return a 5xy error)
> for bad HELO / EHLO names at HELO / EHLO time?

A milter should be able to do that.
Give it a try and let us know.

--
Note: please read the netiquette before posting. I will almost never
reply to top-postings which include a full copy of the previous
article(s) at the end because it's annoying, shows that the poster
is too lazy to trim his article, and it's wasting the time of all readers.

Subject: Re: Filtering HELO / EHLO names before MAIL FROM
From: Grant Taylor
Newsgroups: comp.mail.sendmail
Organization: TNet Consulting
Date: Sat, 4 Jan 2025 06:44 UTC
References: 1 2

Path: news.eternal-september.org!eternal-september.org!feeder3.eternal-september.org!tncsrv06.tnetconsulting.net!tncsrv09.home.tnetconsulting.net!.POSTED.omega.home.tnetconsulting.net!not-for-mail
From: gtaylor@tnetconsulting.net (Grant Taylor)
Newsgroups: comp.mail.sendmail
Subject: Re: Filtering HELO / EHLO names before MAIL FROM
Date: Sat, 4 Jan 2025 00:44:45 -0600
Organization: TNet Consulting
Message-ID: <vlalct$mdd$1@tncsrv09.home.tnetconsulting.net>
References: <vla1k6$o3g$1@tncsrv09.home.tnetconsulting.net>
<vlahqp$p22$1@news.misty.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
Injection-Date: Sat, 4 Jan 2025 06:44:45 -0000 (UTC)
Injection-Info: tncsrv09.home.tnetconsulting.net; posting-host="omega.home.tnetconsulting.net:198.18.1.11";
logging-data="22957"; mail-complaints-to="newsmaster@tnetconsulting.net"
User-Agent: Mozilla Thunderbird
Content-Language: en-US
In-Reply-To: <vlahqp$p22$1@news.misty.com>

View all headers

On 1/3/25 23:43, Claus Aßmann wrote:
> A milter should be able to do that.

That's what I assumed.

> Give it a try and let us know.

I'm trying a few different things.

Q: Is it possible to cause Sendmail to return something other than the
220 (from memory) greeting in response to the HELO / EHLO?

I'm trying milter-regex now and it seems like Sendmail still replies
with a 220 <bla> in response to the unwanted "EHLO User" that I'm
currently seeing.

I'd like to return a "5xy go away" message. I don't remember the value
for x and y at the moment. Maybe "550 5.7.1 go away" or something like
that.

--
Grant. . . .

But any command other than QUIT (and a few others which do not start
a transaction) will be rejected, correct?

I would have hoped there was a 5xy series error that could be returned
when sending the SMFIS_REJECT (?from memory?) in response to the helo
callback.

I need to reference some RFCs to see if such is even allowed.

--
Grant. . . .

Subject: Re: Filtering HELO / EHLO names before MAIL FROM
From: Anthony Howe
Newsgroups: comp.mail.sendmail
Organization: A noiseless patient Spider
Date: Wed, 8 Jan 2025 01:32 UTC
References: 1

Path: news.eternal-september.org!eternal-september.org!.POSTED!not-for-mail
From: achowe@snert.com (Anthony Howe)
Newsgroups: comp.mail.sendmail
Subject: Re: Filtering HELO / EHLO names before MAIL FROM
Date: Tue, 7 Jan 2025 20:32:38 -0500
Organization: A noiseless patient Spider
Lines: 25
Message-ID: <vlkkjl$2fcjk$1@dont-email.me>
References: <vla1k6$o3g$1@tncsrv09.home.tnetconsulting.net>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Injection-Date: Wed, 08 Jan 2025 02:32:37 +0100 (CET)
Injection-Info: dont-email.me; posting-host="509060b934f90b3e729c5b5079322f8b";
logging-data="2601588"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX19skyGdbHqsxTT75bOl7eNL"
User-Agent: Mozilla Thunderbird
Cancel-Lock: sha1:URGJcdcO54qxow5WVHrNyvpbHIE=
Content-Language: en-GB
In-Reply-To: <vla1k6$o3g$1@tncsrv09.home.tnetconsulting.net>

View all headers

On 2025-01-03 20:07, Grant Taylor wrote:
> Hi,
>
> Is there a method that I can use to filter & reject (return a 5xy error) for bad
> HELO / EHLO names at HELO / EHLO time?
>
> I see some options (FEATURE(`block_bad_helo')) but they seem to apply later in
> the SMTP transaction.
>
> I'm seeing what I suspect is bots looking to do credential stuffing, but I'm not
> offering authentication on this system, so they are bailing before usual
> protections would kick in.
>
> Initial searches haven't turned up much that happens before MAIL FROM.

`milter-cli` could do it using an `envelope-from=` filter. Failing that I
suppose I could tweak one of my other milters.

BarricadeMX has the ability (not a milter).

--
Anthony C Howe
achowe@snert.com BarricadeMX & Milters
http://nanozen.snert.com/ http://software.snert.com/

Subject: Re: Filtering HELO / EHLO names before MAIL FROM
From: Grant Taylor
Newsgroups: comp.mail.sendmail
Organization: TNet Consulting
Date: Wed, 8 Jan 2025 03:08 UTC
References: 1 2

Path: news.eternal-september.org!eternal-september.org!feeder3.eternal-september.org!tncsrv06.tnetconsulting.net!tncsrv09.home.tnetconsulting.net!.POSTED.omega.home.tnetconsulting.net!not-for-mail
From: gtaylor@tnetconsulting.net (Grant Taylor)
Newsgroups: comp.mail.sendmail
Subject: Re: Filtering HELO / EHLO names before MAIL FROM
Date: Tue, 7 Jan 2025 21:08:09 -0600
Organization: TNet Consulting
Message-ID: <vlkq6p$4k8$1@tncsrv09.home.tnetconsulting.net>
References: <vla1k6$o3g$1@tncsrv09.home.tnetconsulting.net>
<vlkkjl$2fcjk$1@dont-email.me>
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
Injection-Date: Wed, 8 Jan 2025 03:08:09 -0000 (UTC)
Injection-Info: tncsrv09.home.tnetconsulting.net; posting-host="omega.home.tnetconsulting.net:198.18.1.11";
logging-data="4744"; mail-complaints-to="newsmaster@tnetconsulting.net"
User-Agent: Mozilla Thunderbird
Content-Language: en-US
In-Reply-To: <vlkkjl$2fcjk$1@dont-email.me>

View all headers

Hi Anthony,

On 1/7/25 19:32, Anthony Howe wrote:
> `milter-cli` could do it using an `envelope-from=` filter. Failing that
> I suppose I could tweak one of my other milters.

My impression when I previously looked at the manual.shtml file
(included in the milter-cli source) was that content-filter and
envelope-filter wouldn't filter in direct response to the client's HELO
/ EHLO.

envelope-filter - ... This command is executed when the DATA command is
sent.

content-filter - ... used to filter the message headers and content - so
after the DATA is closed with <CR><LF>.<CR><LF>.

Hence I got the impression that milter-cli won't be able to reject
immediately after the client's HELO / EHLO.

Please correct me if I'm mis-understanding something.

> BarricadeMX has the ability (not a milter).

Ya.... I'm still trying to work with Sendmail. It's what I know and am
most comfortable with.

--
Grant. . . .

BOFH excuse #293: You must've hit the wrong any key.

comp / comp.mail.sendmail / Re: Filtering HELO / EHLO names before MAIL FROM

Subject	Author
Filtering HELO / EHLO names before MAIL FROM	Grant Taylor
Re: Filtering HELO / EHLO names before MAIL FROM	Claus Aßmann
Re: Filtering HELO / EHLO names before MAIL FROM	Grant Taylor
Re: Filtering HELO / EHLO names before MAIL FROM	Claus Aßmann
Re: Filtering HELO / EHLO names before MAIL FROM	Grant Taylor
Re: Filtering HELO / EHLO names before MAIL FROM	Anthony Howe
Re: Filtering HELO / EHLO names before MAIL FROM	Grant Taylor