Re: [Exim] HELO acl

Startseite
Nachricht löschen
Nachricht beantworten
Autor: William Thompson
Datum:  
To: Tony Earnshaw
CC: exim-users@exim.org
Betreff: Re: [Exim] HELO acl
> > >
> > > But ok, you're right, I think some spam could be refused with a helo-check
> > > (hosts pretending to be aol/yahoo/etc.).
> > >
> > > But heuristic checks (helo-name has to match hostname) aren't an option.
> > > Checks for the usual faked helo-names are ok.
> >
> > I have also seen HELOs that are nothing by MY own IP address. That's pretty
> > much an indication of spam...
>
> But you can insist on a helo/ehlo that is not an IP number, insist on a
> host name:
>
> deny  message   = "Invalid domain given in HELO/EHLO"
> !condition      = ${if
> match{$sender_helo_name}{$sender_host_name}{yes}{no}}


That'd force them to use an HELO of the reverse of their IP. I wouldn't do
it this way on my server because I know there's host (me for instance) that
send an HELO out that doesn't map to the reverse of it's IP, however it does
resolve to my IP. I still think that denying based on an HELO of my
internet IP is a good idea (since noone on the inside knows about my ouside
IP)

> > I'm not sure about HELOs that are IPs. How many legit email would be
> > blocked by that?
>
> That's why I talk about myself maybe being blue-eyed. In my present
> position I can deny what I like. In an earlier existence as mailadmin
> for a firm that had all sorts of customers (Exim 3), I had to have a
> lookup file in which I stuffed the IP numbers or host names of
> individual customers with broken mail servers, mostly MS Exchange, and
> made them exceptions. It depends on who is paying you for doing what.


I agree, however, what I was looking for was a way to deny a message based
on known HELOs. Like aol.com. WHO HELOs as aol.com other than an aol ip
and spammers? Same for hotmail and msn. For now, this is the only tests on
HELOs I use.

Looks something like this (using the HELO acl patch):
acl_check_helo:
    # always accept if this is localhost
    accept    condition = ${if eq{$interface_address}{127.0.0.1}{yes}{no}}


    # Reject HELOs that contain IP addresses unless we are a relay for
    # them.  I realize this might not be a good idea, but haven't seen
    # any legit HELOs to this server with IPs.
    deny    !hosts = +relay_from_hosts
        message = HELO may not be an IP address
        condition = ${if match{$sender_helo_name}{\N^\[?\d+\.\d+\.\d+\.\d+\]?$\N}{yes}{no}}


    # Same as above, but check for common HELO names to see if they come
    # from the correct host.
    deny    !hosts = +relay_from_hosts
        message = HELO does not match sender host ($sender_helo_name \
            != SENDER_HOST)
        condition = ${if \
                or { \
                     {and { \
                        {or { \
                         {eq{$sender_helo_name}{hotmail.com}} \
                         {eq{$sender_helo_name}{msn.com}} \
                        } \
                        } \
                        {!match{$sender_host_name}{(hotmail|msn)\\.com}} \
                     }} \
                     {and { \
                        {eq{$sender_helo_name}{aol.com}} \
                        {!match{$sender_host_name}{(netscape|aol)\\.(net|com)}} \
                     }} \
                     {and { \
                        {eq{$sender_helo_name}{outblaze.com}} \
                        {!match{$sender_host_name}{outblaze\\.com}} \
                     }} \
#                     {and { \
#                        {eq{$sender_helo_name}{}} \
#                        {!match{$sender_host_name}{}} \
#                     }} \
                   } \
                {yes}{no} \
                 }


    accept