Re: [Exim] blocking fake yahoo and hotmail

Top Page
Delete this message
Reply to this message
Author: Kevin Reed
Date:  
To: exim-users
Subject: Re: [Exim] blocking fake yahoo and hotmail
Richard.Hall said:
> Hi,
>
> This is obviously my day for being confused :-(
>
> I'm now playing with ...
>
> On Sat, 29 Nov 2003, Kevin Reed wrote:
>> >> http://exim.got-there.com/forums/viewtopic.php?p=465#465
>
> and I'm confused about exactly what it is trying to achieve. I don't
> understand why it uses partial-lsearch, rather than lsearch, in:-
>
>         set acl_m9  = ${lookup{$sender_helo_name} \
>               partial-lsearch{/usr/local/exim/helo-check} \
>               {${if eq{$value}{}{$sender_helo_name}{$value}}}{}}

>
> when the "Contents of the helo-check flat file are:
>             mail.com
>             microsoft.com
>             hotmail.com
>             msn.com hotmail.com
>             compuserve.com
>             aol.com
>             outblaze.com
>             yahoo.com"

>
> i.e. there are no keys in the file prefixed with '*.'
>
>
> Moreover, if I add one, eg '*.hotmail.com', then both
> helo hotmail.com
> and
> helo mc6-s10.hotmail.com
> will now match - but is it safe (in practice) to assume that the rDNS for
> the latter will also be mc6-s10.hotmail.com? No, it isn't:-


This is designed to compare against single domain name helo's that
spammers use. Typically they will use:

hotmail.com
compuserve.com
mail.com

etc...

You don't want to use *.hotmail.com it needs to be matching ONLY
hotmail.com and then compares the right most portion of the hostname it
actually got for the Ip to see if that is in it.

>     2003-12-31 03:38:43 1AbXBt-0002TH-00 <= <> H=(mc6-s10.hotmail.com)
>     [65.54.251.84]

>
>     # nslookup 65.54.251.84
>     Name:    mc6-s10.law1.hotmail.com
>     Address:  65.54.251.84

>
> and I end up dropping messages I shouldn't. (Or maybe I should? Hi, Greg!)
>
> So I _think_ what I need to do is
>
> a) retain partial-lsearch, dspite my initial misgivings


I don't know why I used that originally. It appears to work fine with
just lsearch too.

> b) have entries in the check file of the form
>      *.domain.com: domain.com
>    for those domains for which (I believe) the rDNS will always map to
>    _something_.domain.com


No. This is to block users that say HELO hotmail.com when in fact they
are not a hotmail.com server. That match is to the right side of the
received dns from the IP so that mc6-s10.law1.hotmail.com would be valid
if the HELO were hotmail.com.

If the server like hotmail uses a HELO of mc6-s10.law1.hotmail.com this
would not come into play since the helo-check file doesn't have
mc6-s10.law1.hotmail.com in it.

> c) have entries in the check file of the original form
>      domain.com
>    for those domains for which the rDNS will be ok for
>      helo domain.com
>    but not necessarily ok for
>      helo xyz.domain.com

>
> Is that clear? Am I right?
>
> If so, the final question is - which of those in the above list can safely
> be put in category (b)?


My current list of helo-check servers is:

globetrotter.net
relativequantity.com
mosquitonet.com
atd-clan.de
9bit.qc.ca
weblnk.net
online-bill.com
notmydesk.com
cisco.com
mail.yahoo.co.jp
excite.com
lycos.com
mail.com
microsoft.com
hotmail.com
msn.com hotmail.com
compuserve.com
aol.com
outblaze.com
yahoo.com
tnet.com cox.net

Note that some of these are NEVER used by their owners. mail.com for
example, but lots of people use HELO mail.com so it blocks them.

Test:

exim -d+expand -bh 64.4.11.69

which is bay7-f69.bay7.hotmail.com

...
220 draco.tnet.com ESMTP Generic MTA Wed, 31 Dec 2003 11:50:36 -0700
smtp_setup_msg entered

helo hotmail.com

...

250 draco.tnet.com Hello bay7-f69.bay7.hotmail.com [64.4.11.69]
SMTP>> 250 draco.tnet.com Hello bay7-f69.bay7.hotmail.com [64.4.11.69]


Accepted.

> ... but if I'm right, helo of "n26.grp.scd.yahoo.com" will match
> *.yahoo.com: yahoo.com
> - not that many spammers are going to bother putting all those extra
> characters in the helo string?


It is not designed to catch helo's like n26.grp.scd.yahoo.com, just helo
of yahoo.com. I've not seen any spammers attempting anything but the
simple domain name. Not that I've really checked, but this check does
catch a lot of mail.

--
Kevin W. Reed - TNET Services, Inc.
Unoffical Exim MTA Info Forums - http://exim.got-there.com/forums