Re: [Exim] forged HELO/EHLO addresses

Página Inicial
Delete this message
Reply to this message
Autor: David Saez
Data:  
Para: Suresh Ramasubramanian
CC: Alan J. Flavell, Exim Users Mailing List
Assunto: Re: [Exim] forged HELO/EHLO addresses
Hi !!

> > We have also being rejecting based on helo with almost no false
> > positives and now it produces about 50% of rejections, one simple
> > helo rule will catch lots of viruses that rewrite the infected
> > windows computer name and use it as the helo:
>
> That is, the netbios name of the infected computer?
>
> Yes, you could use non fqdn HELOs as something that gets a relatively
> high spamassasin score, but what you are going to get is a lot of
> collateral damage.


that rules matches valid fqdn HELOs (DOMAIN.com is a valid fqdn), but
only the ones that have only two parts, the first one only uppercase
and the last one only lowercase. This one gets no false positives as
this kind of HELO's are made by viruses trying to get a valid HELO
appending .com/.net/.ortg/... to the computer name, in the other hand
it's very uncommon that some human make such this HELO's

> A lot of the trojans helo as your own domain or IP though... those are
> easier to block.


we also do that, but it's more common to see DOMAIN.com that our own
ip/hostname. We also check that HELO's that are ip addresses match the
remote host ip address.

--
Best regards ...

Don't ask me, I'm making this up as I go!

----------------------------------------------------------------
   David Saez Padros                http://www.ols.es
   On-Line Services 2000 S.L.       e-mail  david@???
   Pintor Vayreda 1                 telf    +34 902 50 29 75
   08184 Palau-Solita i Plegamans   movil   +34 670 35 27 53
----------------------------------------------------------------