RE: [Exim] forged HELO/EHLO addresses

Top Page
Delete this message
Reply to this message
Author: Luzynski, Steve
Date:  
To: exim-users
Subject: RE: [Exim] forged HELO/EHLO addresses
David Snowden wrote:
> We have a director that uses "senders =" to restrict access to
> certain features based on them being in our local domain.
>
> However, I have noticed that if a spammer uses our local domain name
> in a forged HELO/EHLO command then the director is fooled into
> thinking that this message has originated locally and can use this
> particular facility.
>
> What would be the best way around this?
>
> I could try using helo_verify_hosts to block the forged HELO/EHLOs,
> but I seem to recall from previous discussions on the list that that
> can lead to the rejection of a lot of genuine connections from
> misconfigured sites whose HELO/EHLO address doesn't match the
> hostname from a reverse DNS lookup of their IP address.


I'm using the following in the acl_check_rcpt ACL:

 # Forged HELOs
  deny message = Forged hostname detected in HELO - $sender_helo_name
          hosts   = !+relay_from_hosts
          log_message = Forged hostname detected in HELO -
$sender_helo_name
          condition =
${lookup{$sender_helo_name}dbm{/etc/mail/localdomains.db}{yes}{no}}


  deny message = Forged IP detected in HELO - $sender_helo_name
         hosts = !+relay_from_hosts
         log_message = Forged IP detected in HELO: $sender_helo_name
         condition = ${if
eq{$sender_helo_name}{$interface_address}{yes}{no}}


In this case, /etc/mail/localdomains.db is a db file with my local
domains in it, and relay_from_hosts is the list of IP addresses that are
allowed to relay mail through the server (internal addresses).

You're correct that doing the verify during HELO/EHLO time is not good
since many broken MTAs will continue to retry over and over; a reject
after RCPT TO tends to work better with those ill-behaved MTAs.

--
Steve Luzynski
Aquila, Inc.