Re: [Exim] Blacklisting dynamic IP ranges versus dyndns.org

Kezdőlap
Üzenet törlése
Válasz az üzenetre
Szerző: Alan J. Flavell
Dátum:  
Címzett: Scott M. Nolde
CC: Exim users list
Új témák: [Exim] [Exim]Routing around blocking servers
Tárgy: Re: [Exim] Blacklisting dynamic IP ranges versus dyndns.org
On Thu, 31 Oct 2002, Scott M. Nolde wrote:

> Matthew Palmer(mjp16@???)@2002.10.31 08:33:43 +0000:


> > On Wed, 30 Oct 2002, Alan J. Flavell wrote:


(nothing that you quoted)

> > Tell them to relay through their ISP's mail servers.


It's easily said, but as a mail admin in our situation, we do have to
apply a certain amount of heuristic compromise in the interests of our
users...

> I've been able to block a lot of stuff coming from domains in HELO i don't
> like (maybe this isn't real HELO blocking,


No, it isn't. Sure, we already use controls based on
envelope-senders, and if we knew in advance that a particular
envelope-sender was a good guy, we could whitelist them.

I was just exploring the options for dealing with senders who hope
to get mail through, despite having a dynamic IP, by means of having
registered with dyndns.org. There are clearly _some_ 'good guys'
there.

Let's not argue over policy in this thread: I'm only exploring what
technical options might be available, _if_ one decided to use them.

Points:

1. the PTR record isn't going to help. There needs to be some other
indication that the sender wants to claim membership of dyndns.org

2. Some senders use an envelope-sender address in *.dyndns.org: this
would be easy to whitelist, even on a wildcard basis if one wished.
Nuff said.

3. Some senders use other envelope-sender addresses, but present a
HELO domain in *.dyndns.org. See below for a possible way of
validating those.

4. Some senders seem to offer no indication that they're using
dyndns.org. Too bad for them.

OK, now about implementing point 3: (this is in exim4)

If we enable helo_try_verify_hosts, this will set the helo verify
condition if (amongst other possibilities) the presented helo name
matches the calling IP. For documentation see

http://www.exim.org/exim-html-4.10/doc/html/spec_13.html#IX802

(third bullet). So in the specific case under discussion - the caller
is coming from an IP currently registered at *.dyndns.org, and they
present that name in their HELO - the helo verify condition gets set.

So an ACL which contains a condition such as

condition = ${if match {$sender_helo_name}{\N\.dyndns\.org$\N}{yes}{no}}

(well, perhaps one should lowercase the $sender_helo_name first?)
would restrict this clause to names of the *.dyndns.org variety, and
then

          verify = helo


would seem to complete the ACL, no? This would offer a let-out just
before one would otherwise have rejected on the basis of blacklisted
dynamic-address IP ranges.

I've not actually implemented this in production, but a few recent
incidents have suggested to me that it would be a useful option to
have on hand. So I thought I'd at least tidy the thread up by
mentioning it. I tried it manually with a command of the form
exim -C configure.test -bh a.b.c.d
and it seemed to behave as expected.

Hope it might prove useful to someone (maybe even to us... ;-).