Richard Welty
> Sent: Wednesday, August 27, 2003 6:25 AM
> To: Exim Users List
> Subject: Re[2]: [Exim] exim HELO ack
>
>
> On Wed, 27 Aug 2003 12:05:25 +0100 Jez Hancock
> <jez.hancock@???> wrote:
>
> > Personally I'm not overwhelmed by spammers or other abusers
> who misuse
> > the HELO/EHLO command and I can't justify denying or
> dropping clients
> > based solely on the fact that they don't use a FQDN or even
> an address
> > literal in their HELO/EHLO - a lot of my users use OE which
> appears to
> > not adhere to this anyway.
>
> but some of us are getting pounded pretty good by Sobig.F
> coming from windoze systems with non-FQDN HELO strings, and
> it's a good way to recognize and drop those connections fast
> and keep our loads down.
I'm catching them with bad TZ date headers and a check for pif and scr
attachments. Where I am at, I've got too much real mail arriving with bad
Helo's so for right now, I am simply marking them in the logs so later I can
do a survey to look at the stituation longer.
warn log_message = BROKEN HELO/EHLO: Hello doesn't look like a
hostname ($sender_helo_name)
# drop message = BROKEN HELO/EHLO: Hello doesn't look like a
hostname ($sender_helo_name)
condition = ${if match{$sender_helo_name} \
{\N^[^.].*\.[^.]+$\N} \
{no}{yes} \
}
2003-08-27 09:10:07 H=[212.145.142.47] Warning: BROKEN HELO/EHLO: Hello
doesn't look like a hostname (slanvwy)