Blocking spam through HELO checks - the right way
We're doing several checks for Spam at our Postfix mail server. One of them is checking HELO messages. Today we noticed that we were blocking valid mail servers with this check.
Many spammers send a
HELO of a well known top-domain like “yahoo.com” - the real Yahoo servers will of course identify with something like “web52204.mail.re2.yahoo.com” instead of “yahoo.com” only. A perfect way to drop a lot of spam. Or so I thought.
The problem turned out to be that the
HELO checks done through
check_helo_access hash:/etc/postfix/maps/helo_access were matching subdomains, too.
The solution is simple. Just add the following to your
parent_domain_matches_subdomains = debug_peer_list, fast_flush_domains, mynetworks, permit_mx_backup_networks, qmqpd_authorized_clients, relay_domains
This will remove implicit subdomain matching from
smtpd_access_maps checks. If you really want to check subdomains as well, just add a leading dot in your hash map. Eg. the following will reject “foo.cosmocode.de” but not “mx.yahoo.com”:
.cosmocode.de REJECT Bad HELO. You are not me. Go away! yahoo.com REJECT Bad HELO. Go away!
This post was originally published at cosmocode.de