HELO/EHLO Pattern Matching

From ASRG
Jump to: navigation, search
Anti-spam technique: HELO/EHLO Pattern Matching
Date of first use:
Effectiveness: High
Popularity: Low
Difficulty of implementation: Low
Where implemented: MTA
Harm: Low to Medium

SMTP requires the client to send either its fully-qualified domain name or its IP address in square brackets as its EHLO/HELO name. Some spambots use fixed strings, and some use dynamic strings that in some cases uses the actual domain name or the IP address of its computer. Since spambots are often running on compromised home systems, the resulting EHLO/HELO names may contain "localhost", IP addresses, "ADSL", "dynamic", etc. Some servers attempt to pattern match, looking for strings with a high likelihood of being a compromised home user and a low risk of being a legitimate organization. The risk is that many organizations have improperly configured mail servers and as a result send poorly-chosen EHLO names. Smaller organizations especially might be using DSL lines and not have good PTR records. Such techniques therefore require careful monitoring to detect when legitimate organizations are blocked.