[Exim] HELO filtering with exim (for exim config.samples / M…

Top Page
Delete this message
Reply to this message
Author: Suresh Ramasubramanian
Date:  
To: 'Exim-users'
CC: Marc MERLIN, Philip Hazel
Subject: [Exim] HELO filtering with exim (for exim config.samples / Marc Merlin generalized exim.conf)
Hi all

I've been seeing a whole bunch of IPs that send me spam / virus mail and
HELOing as one of my own IPs, or as HELO one.of.my.own.domains (or maybe
HELO primary_hostname)

On the other hand, I have users relaying through my box with AUTH, using
mozilla, which HELO's as "HELO hserus.net" if a hserus.net user relays.

Here's something to stop this stuff - in acl_check_rcpt:

[snippet in exim configure file]

accept hosts = :

    # Accept all authenticated senders
   accept  authenticated = *



# Spam control

# Be polite and say HELO. Reject anything from hosts that havn't given
# a valid HELO/EHLO to us.
  deny condition = ${if \
    or{{!def:sender_helo_name}{eq{$sender_helo_name}{}}}{yes}{no}}
           message = RFCs mandate HELO/EHLO before mail can be sent


# Forged hostname - HELOs as my own hostname or domain
  deny    message = Forged hostname detected in HELO: $sender_helo_name
    hosts   = !+relay_from_hosts
    log_message = Forged hostname detected in HELO: \
    $sender_helo_name
    condition = ${lookup {$sender_helo_name} \
        lsearch{/usr/local/etc/exim/local_domains}{yes}{no}}


# Forged hostname -HELOs as one of my own IPs
  deny message = Forged IP detected in HELO: $sender_helo_name
         hosts = !+relay_from_hosts
         log_message = Forged IP detected in HELO: $sender_helo_name
    condition = ${if \
    eq{$sender_helo_name}{$interface_address}{yes}{no}}


[end snippet]

This works - as demonstrated by log entries below.

forged hostname HELO

2003-08-11 11:51:42 H=203-86-166-80.outblaze.com (hserus.net)
[203.86.166.80]:37140 F=<suresh@???> rejected RCPT
<suresh@???>: Forged hostname detected in HELO - hserus.net

forged IP HELO

2003-08-11 11:44:13 H=203-86-166-80.outblaze.com (204.74.68.40)
[203.86.166.80]:37118 F=<suresh@???> rejected RCPT
<suresh@???>: Forged IP detected in HELO: 204.74.68.40

but -

2003-08-11 11:53:28 19m65Y-000GD1-0u <= suresh@???
H=(kcircle.com) [61.11.80.112]:10471 I=[204.74.68.40]:25 P=asmtp
A=plain:suresh S=845 id=3F373660.9080602@??? T="test3" from
<suresh@???> for suresh@???
2003-08-11 11:53:28 cwd=/var/spool/exim 3 args: /usr/local/sbin/exim -Mc
19m65Y-000GD1-0u
2003-08-11 11:53:29 19m65Y-000GD1-0u => suresh@???
F=<suresh@???> R=dnslookup T=remote_smtp S=869
H=corpmail.outblaze.com [203.86.166.82] C="250 Ok: queued as B3F7816DD83"
2003-08-11 11:53:29 19m65Y-000GD1-0u Completed

    srs