RE: [Exim] forged HELO/EHLO addresses

Pàgina inicial
Delete this message
Reply to this message
Autor: exim
Data:  
A: exim-users
Assumpte: RE: [Exim] forged HELO/EHLO addresses
exim-users-admin@??? wrote:
> We have a director that uses "senders =" to restrict access to
> certain features based on them being in our local domain.


There's always going to be a better way around that .. somehow. Just a
matter of finding it. Anywho.

> I am running exim 4.20.
>
> Have other people encountered this sort of issue, and if so, how have
> you got around it.


I whack them on the head with an ACL check that happens at the very
start of acl_check_rcpt (this name comes from the default cfg file).
Goes something like this:

# Check the HELO/EHLO host here to see if they're full of it
# Doing it here means that we can see who they are trying to send
to/from
deny message = Bad HELO host. You are not me idiot!
     condition = ${lookup {$sender_helo_name}
lsearch{/etc/exim/bad_helo_hosts}{yes}{no}}


Then the bad_helo_hosts file contains all the hosts (1 per line) they
can put in that are pure lies that they are trying to use the circumvent
the system. You could change the lsearch to a lsearch* and do some
wildcard and the like, but I find that most of them are trying the FQDN
of my host (presented to them on the greeting line) or my own IP
address.

I put this right at the top of the ACL since there is no reason in hell
to accept mail from this type of MTA/virus/spammer. If someone is going
to lie about who they are, they don't even have the right to send
postmaster mail.

The decision to deny them instead of drop them was so they didn't have
to do the whole SYN/ACK thing again only to get knocked back again next
time. Denying means that it doesn't matter how many times they hit a
real address they are just banging their head against a wall and
hopefully they will discontinue use of the address.

Ted.