electronic brain surgery since 2001

Blocking spam through HELO checks - the right way

We're doing several checks for Spam at our Postfix mail server. One of them is checking HELO messages. Today we noticed that we were blocking valid mail servers with this check.

Many spammers send a HELO of a well known top-domain like “yahoo.com” - the real Yahoo servers will of course identify with something like “web52204.mail.re2.yahoo.com” instead of “yahoo.com” only. A perfect way to drop a lot of spam. Or so I thought.

The problem turned out to be that the HELO checks done through check_helo_access hash:/etc/postfix/maps/helo_access were matching subdomains, too.

The solution is simple. Just add the following to your /etc/postfix/main.cf:

parent_domain_matches_subdomains = debug_peer_list, fast_flush_domains, mynetworks, permit_mx_backup_networks, qmqpd_authorized_clients, relay_domains

This will remove implicit subdomain matching from smtpd_access_maps checks. If you really want to check subdomains as well, just add a leading dot in your hash map. Eg. the following will reject “foo.cosmocode.de” but not “mx.yahoo.com”:

.cosmocode.de           REJECT Bad HELO. You are not me. Go away!
yahoo.com               REJECT Bad HELO. Go away!
This post was originally published at cosmocode.de
postfix, antispam, mta
Similar posts: