I use the following HELO ACLs, I dunno if it's exactly what you want but it
s purpose is to check the helo given and if it contains our base domain name
or is our address in IP literal form, reject it. It also checks the host
name in the same fashion. The !+local_net skips the acl if the host IP is
one of our internal, or relay/backup servers.
+local_nets is read from a file and would look like:
xx.xx.xx.xx/25
yy.yy.yy.yy
# Check and see if some one is trying to impersonate my server/hosts
# check and see if the HELO is a match on my domain
# would catch cooper-home.com, somehost.cooper-home.com, etc
# or if the HELO is my address
deny message = No you are not ME or MINE (HELO was $sender_helo_name) and I
will send this log to the appropriate authority ASAP with your IP:
$sender_host_address
hosts = !+local_net
condition = ${if or {\
{eq{$sender_helo_name}{$interface_address}}\
{match{${lc:$sender_helo_name}}{${lc:$qualify_domain}}}\
}\
{yes}{no}}
# Now check the hostname.
# First check and see if the HOSTNAME is a match on my domain
# But skip if the hostname is blank
deny message = No you are not ME or MINE (HOSTNAME was $sender_host_name)
and I will send this log to the appropriate authority ASAP with your IP:
$sender_host_address
hosts = !+local_net
condition = ${if and {\
{!eq{$sender_host_name}{}}\
{eq{$sender_host_name}{$interface_address}}\
}\
{yes}{no}}
# Next check and see if the HOSTNAME is my IP address
# But skip if the hostname is blank
deny message = No you are not ME or MINE (HOSTNAME was $sender_host_name)
and I will send this log to the appropriate authority ASAP with your IP:
$sender_host_address
hosts = !+local_net
condition = ${if and {\
{!eq{$sender_host_name}{}}\
{match{${lc:$sender_host_name}}{${lc:$qualify_domain}}}\
}\
{yes}{no}}
Rick Cooper
-------Original Message-------
From: ODHIAMBO G. Washington
Date: Tuesday, July 29, 2003 1:43:49 AM
To: exim-users@???
Subject: [Exim] reverse lookup on envelop senders - dealing with spam
Some clever? spammers are lurking around, for example I did receive
which looks like this:
>From wash@??? Mon Jul 28 15:18:11 2003
Return-path: wash@???
Envelope-to: wash@???
Delivery-date: Mon, 28 Jul 2003 15:18:11 +0300
Received: from [209.42.44.196] (helo=wananchi.com)
by ns2.wananchi.com with esmtp (Exim 4.20 #5 (FreeBSD))
id 19h6x8-000Mfq-AB
for <wash@???>; Mon, 28 Jul 2003 15:18:11 +0300
Received: from pioneer-rffualy [10.41.1.53] by wananchi.com with
MailMXPro(2195.5249);
Mon, 28 Jul 2003 08:19:43 -0700
Message-ID: <07a801c3551c$76d7ebfc$b400a8c0@pioneer-rffualy>
From: jenny lips <wash@???>
To: wash@???
Now that IP is not in our netblock, and so I believe their helo should
have been blocked if I was bright enough. The problem is, they are
one step ahead of me.
To keep off spammers, I'd like to do reverse lookups on envelope senders
and separately, to deny any envelope senders who say they are from our
domain (wananchi.com) but are sending from another IP range other than
our a.b.c.d/19 and e.f.g.h/25 *unless* they use ASMTP.
Anyone already doing this???
-Wash
--
Odhiambo Washington <wash@???> "The box said 'Requires
Wananchi Online Ltd.
www.wananchi.com Windows 95, NT, or better,'
Tel: +254 2 313985-9 +254 2 313922 so I installed FreeBSD."
GSM: +254 72 743223 +254 733 744121 This sig is McQ! :-)
Weinberg's Principle:
An expert is a person who avoids the small errors while
sweeping on to the grand fallacy.
--
## List details at
http://www.exim.org/mailman/listinfo/exim-users Exim
details at
http://www.exim.org/ ##
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
.
