Re: [Exim] Reverse DNS -- grounds for rejection?

Top Page

Reply to this message
Author: Richard.Hall
Date:  
To: exim-users
Subject: Re: [Exim] Reverse DNS -- grounds for rejection?
Hi,

On Thu, 15 Jan 2004, jzaw wrote:
>
> On Thursday, Jan 15, 2004, at 11:42 Europe/London, Rory Campbell-Lange
> wrote:
>
> > Is a test like this grounds for rejecting mail?
> > I note that quite a few messagelabs servers don't reverse properly.
>
> as you note not eveyone has DNS == ip == rDNS so at this stage its not
> a good idea to reject all non maching rDNS
> only some (but which?) and defo others ... namely emails from sites
> claiming to be MSN or Hotmail for instance
>
> this was offered some time ago by some kind soul on the mail list
> it takes into account failed or lagged dns lookups
> I use it myself
> (if there are any errors or omissions I would welcome corrections -
> thanks)


Well, since you ask, there are a number of things, all pretty minor, but
...

(BTW it was several kind souls - I believe Wakko Warner posted the
original, but it has subsequently been improved by Victor Ustugov, David
Woodhouse and Kevin Reed, and maybe others I missed along the way)

> ###################
> # modified variant to take account of delayed or missing dns servers
> # Check ONLY Certain HELO's against what their hostname is supposed to
> be
> warn    set acl_m9  = ${lookup{$sender_helo_name} \
>                partial-lsearch{/etc/exim/helo_check} \
>                {${if eq{$value}{}{$sender_helo_name}{$value}}}{}}
> defer   condition = ${if eq{$acl_m9}{}{no}{yes}}
>          condition = ${if eq{$sender_host_name}{}{yes}{no}}
>          condition = ${if eq{$host_lookup_failed}{1}{no}{yes}}
>          message   = Access temporarily denied. Cannot resolve PTR
> record for $sender_host_address
> drop  log_message = HELO MISMATCH Forged HELO for ($sender_helo_name)
>          condition   = ${if and { \
>                {!eq{$acl_m9}{}} \
>                   {!match{$sender_host_name}{${rxquote:$acl_m9}\N$\N}} \
>                 } \
>                 {yes}{no}}
>          delay       = 30
> #
> ###################


a) the 'warn set ...' can be combined into the 'defer' (cosmetic, might be
marginally more efficient)

b) the partial-lsearch only needs to be lsearch (slightly more efficient)

c) the logic for dealing with valid HELO parameters which can correspond
to more than one (r.h. end of) sender host name was flawed (and fixing
it also requires a change to the format of the flat file, see below)

d) the logic for comparing the HELO parameter with the sender host name
can be tightened up (eg to prevent those nasty spammers at gaol.com
pretending to be from aol.com; and thank heavens we weren't interested
in those nice people at hitmail.com - hmmm, maybe not so nice -
interesting website ;-)

so I ended up with this

  defer set acl_m9 = ${lookup {$sender_helo_name} \
                              lsearch {SPAMDIR/HELO-check-domains} \
                              {${if eq {$value} {} \
                                    {${rxquote:$sender_helo_name}} \
                                    {$value} }} \
                              {} }
            # ... set to regex of allowed host names
        condition    = ${if eq {$acl_m9} {} {no} {yes} }
            # ... skip if we are not interested
        condition    = ${if eq {$sender_host_name} {} {yes} {no} }
            # ... no need to defer if we got a host name
        condition    = ${if eq {$host_lookup_failed} {1} {no} {yes} }
            # ... defer if lookup worked (sic!)
        log_message  = PTR resolution failed for $sender_host_address
        message      = Access temporarily denied. \
                       PTR resolution failed for $sender_host_address


  drop  condition   = ${if !eq {$acl_m9} {} {1}}
            # ... i.e. if we are interested from preceding rule
        condition   = ${if !match {$sender_host_name} \
                                  {\N^(.+\.)?\N$acl_m9\N$\N}  \
                           {1} }
            # ... and r.h. end does not match
        log_message = Forged HELO mismatch \
                      ($sender_host_name != $sender_helo_name)
        message     = You are not really $sender_helo_name. Go Away.
        delay       = 30s




> the flat file can be like this


... with one change ...


> ###################
> #
> $ cat /etc/exim/helo_check
>
> mail.com
> microsoft.com
> hotmail.com
> msn.com hotmail.com


... needs to be changed to

msn.com (msn|hotmail)\.com

i.e. the value needs to be a regex combining all the permitted sender host
names

> compuserve.com
> aol.com
> outblaze.com
> yahoo.com
> yahoo.fr
> yahoo.ca
> yahoo.co.uk
>
> #
> ###################
>
> thus only emails claiming to be from the above listed domains are
> checked for rDNS
>
> hope this helps
>
> Zaw


As has been noted previously, this is only designed to deal with

HELO aol.com

and not with

HELO something.aol.com

If anyone is really interested, I have a version which deals with the
extended form. But it catches very, very few, so I wouldn't (currently)
consider it worthwhile.

HTH,
Richard Hall