Re: [Exim] forged HELO/EHLO addresses

Top Page
This message is part of the following thread:
M----\the complete thread tree sorted by date
M+++\MAlan J. Flavell at <-
MMMMMMWalt Reed at ->
Delete this message
Reply to this message
Author: Mike Meredith
Date:  
To: exim-users
Subject: Re: [Exim] forged HELO/EHLO addresses
--
On Wed, 12 Nov 2003 14:23:52 +0000 (GMT), Alan J. Flavell wrote:
> On the other hand, something like "HELO 11.22.33.44" would slip past
> the above recipe unchallenged. But if they present our own IP address
> (a rather common spammer trick, though I'm not sure what they hope to
> gain by it), we reject it in a separate recipe. Hmmm: I suppose we
> could really reject anything that looks like nothing more than a
> dotted IP address, as not conforming to the requirements of the RFC -
> what does the team think?

I've been blocking on "HELO ip.address" (not "HELO [ip.address]") for
quite a while. It doesn't block too much (629 out of 37282 blocks so far
today), but it also doesn't seem to catch many innocent but ignorant
server administrators (the first one came in this morning).

I can't see a problem in rejecting traffic that looks like mail but
isn't.

--
Mike Meredith, Senior Informatics Officer
University of Portsmouth: Hostmaster, Postmaster and Security
'The only politician I respect is Caligula.'
--
[ Content of type application/pgp-signature deleted ]
--


This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-Re: [Exim] forged HELO/EHLO addressesRe: [Exim] forged HELO/EHLO addresses->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)