Re: [Exim] forged HELO/EHLO addresses

Top Page
Delete this message
Reply to this message
Author: Mike Meredith
Date:  
To: exim-users
Subject: Re: [Exim] forged HELO/EHLO addresses
--
On Wed, 12 Nov 2003 14:23:52 +0000 (GMT), Alan J. Flavell wrote:
> On the other hand, something like "HELO 11.22.33.44" would slip past
> the above recipe unchallenged. But if they present our own IP address
> (a rather common spammer trick, though I'm not sure what they hope to
> gain by it), we reject it in a separate recipe. Hmmm: I suppose we
> could really reject anything that looks like nothing more than a
> dotted IP address, as not conforming to the requirements of the RFC -
> what does the team think?


I've been blocking on "HELO ip.address" (not "HELO [ip.address]") for
quite a while. It doesn't block too much (629 out of 37282 blocks so far
today), but it also doesn't seem to catch many innocent but ignorant
server administrators (the first one came in this morning).

I can't see a problem in rejecting traffic that looks like mail but
isn't.

--
Mike Meredith, Senior Informatics Officer
University of Portsmouth: Hostmaster, Postmaster and Security
'The only politician I respect is Caligula.'
--
[ Content of type application/pgp-signature deleted ]
--