Hi,
On Thu, 15 Jan 2004, jzaw wrote:
>
> On Thursday, Jan 15, 2004, at 11:42 Europe/London, Rory Campbell-Lange
> wrote:
>
> > Is a test like this grounds for rejecting mail?
> > I note that quite a few messagelabs servers don't reverse properly.
>
> as you note not eveyone has DNS == ip == rDNS so at this stage its not
> a good idea to reject all non maching rDNS
> only some (but which?) and defo others ... namely emails from sites
> claiming to be MSN or Hotmail for instance
>
> this was offered some time ago by some kind soul on the mail list
> it takes into account failed or lagged dns lookups
> I use it myself
> (if there are any errors or omissions I would welcome corrections -
> thanks)
Well, since you ask, there are a number of things, all pretty minor, but
...
(BTW it was several kind souls - I believe Wakko Warner posted the
original, but it has subsequently been improved by Victor Ustugov, David
Woodhouse and Kevin Reed, and maybe others I missed along the way)
> ###################
> # modified variant to take account of delayed or missing dns servers
> # Check ONLY Certain HELO's against what their hostname is supposed to
> be
> warn set acl_m9 = ${lookup{$sender_helo_name} \
> partial-lsearch{/etc/exim/helo_check} \
> {${if eq{$value}{}{$sender_helo_name}{$value}}}{}}
> defer condition = ${if eq{$acl_m9}{}{no}{yes}}
> condition = ${if eq{$sender_host_name}{}{yes}{no}}
> condition = ${if eq{$host_lookup_failed}{1}{no}{yes}}
> message = Access temporarily denied. Cannot resolve PTR
> record for $sender_host_address
> drop log_message = HELO MISMATCH Forged HELO for ($sender_helo_name)
> condition = ${if and { \
> {!eq{$acl_m9}{}} \
> {!match{$sender_host_name}{${rxquote:$acl_m9}\N$\N}} \
> } \
> {yes}{no}}
> delay = 30
> #
> ###################
a) the 'warn set ...' can be combined into the 'defer' (cosmetic, might be
marginally more efficient)
b) the partial-lsearch only needs to be lsearch (slightly more efficient)
c) the logic for dealing with valid HELO parameters which can correspond
to more than one (r.h. end of) sender host name was flawed (and fixing
it also requires a change to the format of the flat file, see below)
d) the logic for comparing the HELO parameter with the sender host name
can be tightened up (eg to prevent those nasty spammers at gaol.com
pretending to be from aol.com; and thank heavens we weren't interested
in those nice people at hitmail.com - hmmm, maybe not so nice -
interesting website ;-)
so I ended up with this
defer set acl_m9 = ${lookup {$sender_helo_name} \
lsearch {SPAMDIR/HELO-check-domains} \
{${if eq {$value} {} \
{${rxquote:$sender_helo_name}} \
{$value} }} \
{} }
# ... set to regex of allowed host names
condition = ${if eq {$acl_m9} {} {no} {yes} }
# ... skip if we are not interested
condition = ${if eq {$sender_host_name} {} {yes} {no} }
# ... no need to defer if we got a host name
condition = ${if eq {$host_lookup_failed} {1} {no} {yes} }
# ... defer if lookup worked (sic!)
log_message = PTR resolution failed for $sender_host_address
message = Access temporarily denied. \
PTR resolution failed for $sender_host_address
drop condition = ${if !eq {$acl_m9} {} {1}}
# ... i.e. if we are interested from preceding rule
condition = ${if !match {$sender_host_name} \
{\N^(.+\.)?\N$acl_m9\N$\N} \
{1} }
# ... and r.h. end does not match
log_message = Forged HELO mismatch \
($sender_host_name != $sender_helo_name)
message = You are not really $sender_helo_name. Go Away.
delay = 30s
> the flat file can be like this
... with one change ...
> ###################
> #
> $ cat /etc/exim/helo_check
>
> mail.com
> microsoft.com
> hotmail.com
> msn.com hotmail.com
... needs to be changed to
msn.com (msn|hotmail)\.com
i.e. the value needs to be a regex combining all the permitted sender host
names
> compuserve.com
> aol.com
> outblaze.com
> yahoo.com
> yahoo.fr
> yahoo.ca
> yahoo.co.uk
>
> #
> ###################
>
> thus only emails claiming to be from the above listed domains are
> checked for rDNS
>
> hope this helps
>
> Zaw
As has been noted previously, this is only designed to deal with
HELO aol.com
and not with
HELO something.aol.com
If anyone is really interested, I have a version which deals with the
extended form. But it catches very, very few, so I wouldn't (currently)
consider it worthwhile.
HTH,
Richard Hall
