I am a long time lurker here and used some existing work to write a new
ACL filter that helps to minimize spam and viruses actually getting through
HELO stage.
Credits should go to all kind folks contibuting to this list
Using HELO recipes summarized here
http://exim.got-there.com/forums/viewtopic.php?t=346
the goal was to write a generic rule that would take any host
HELOing as DOMAIN.EXT OR a string without a dot
and force RDNS look up test, thus eliminating a need to list
domains in a separate file (( although it would be nice to have
the ability to also include the list so we can include RDNS
test for known forged domains that are in a form of
SUB.DOMAIN.EXT as well ))
Here is the code:
# check for 2 part HELO in prep for reverse look up tests
deny condition = ${if match{$sender_helo_name} \
{^\\w+\.\\w+\$} \
{yes}{no}}
# did not find match between RDNS look up and HELO of senders name
condition = ${if
!match{$sender_host_name}{${rxquote:$sender_helo_name}\N$\N} {1}}
# make authenticated users exempt so they can HELO anywhichway they want
condition = ${lookup {$sender_host_address} \
lsearch{/etc/relayhosts}{no}{yes}}
message = You are not {$sender_helo_name} you are {$sender_host_name} at
{$sender_host_address} or you have not configured reverse PTR on this
IP, if you have a local account on this server, be sure to login by
checking for your new messages before sending mail.
# end of code
I am just starting to write these rules and would appreciate any
feedback or help so we can throw together a decent filter for everyone
to use.
- Is it too aggresive to expect all hosts to have RDNS in production ?
I know there are mail servers who do not have it but more and more
providers, are now rejecting mail if RDNS not present.
- The code above could use additional condition to draw from a list,
which would address the hotmail.com msn.com issue
would adding
condition = ${lookup {$sender_host_address} \
lsearch{/etc/coded-list}{yes}{no}}
solve this issue?
- Is there a way to soften the aggressivness of this rule by rewriting
it so it would reject only if there is discrepancy between
sender_host_name and sender_helo_name but would NOT reject if no RDNS
provided?
There is probably more elegant way to combine the conditions but my
knowledge of code is not sufficient.
We have a few domains that get spammed at a rate of 100,000 messages per
day, many messages originate from forged IP address HELO or forged
domain HELO hosts, but the hosts vary too much to write a hard coded
list so this or similar filter seems to be the answer.
Thanks for listening,
Genie Livingstone