[Exim] caching HELO/EHLO data

Pàgina inicial
Delete this message
Reply to this message
Autor: Ollie Cook
Data:  
A: exim-users
Assumpte: [Exim] caching HELO/EHLO data
I have rolled a patch against Exim 4.30 to detect hosts who identify themselves
using different HELO/EHLO arguments over time, since this helps detect two
patterns of spam software that we see at our site:

- hosts that HELO as yahoo.com, then hotmail.com then yahoo.co.uk etc.
- hosts that HELO as hosteddomain1.com, then hosteddomain2.org etc. where
the HELO argument matches recipient domain

This is implemented in terms of another hints database in Exim with a short
(configurable) timeout. A new variable is available containing the most
recently cached value which can then be used in ACLs if needed to compare
against what the client actually said in HELO/EHLO.

e.g.

  # Deny from hosts with changing HELO/EHLO
  deny    message   = rejected HELO/EHLO argument \
                      [$previous_sender_helo_name (cached) != $sender_helo_name]
          condition = ${if and {\
                                {def:sender_helo_name}\
                                {def:previous_sender_helo_name}\
                               }\
                               {${if eq{$sender_helo_name}\
                                       {$previous_sender_helo_name}\
                                       {no}{yes}}}\
                               {no}}


However, it seems that some legitimate sites change their HELO/EHLO argument
quite frequently, despite the connecting IP address being constant.

e.g.

2004-03-03 10:46:01 detected change in EHLO argument from mxpool13.ebay.com [66.135.197.19] (mx27.sjc.ebay.com -> mx28.sjc.ebay.com)
2004-03-03 10:46:39 detected change in EHLO argument from mxpool13.ebay.com [66.135.197.19] (mx28.sjc.ebay.com -> mx27.sjc.ebay.com)
2004-03-03 10:51:45 detected change in HELO argument from mail-kr.bigfoot.com [211.115.216.222] (mail-kr.bigfoot.com -> bigfoot.com)
2004-03-03 10:54:50 detected change in HELO argument from mail-kr.bigfoot.com [211.115.216.222] (bigfoot.com -> mail-kr.bigfoot.com)

RFC 2821 section 4.1.1.1 says:

  |    server.  The argument field contains the fully-qualified domain name
  |    of the SMTP client if one is available.


I take this to imply that it's reasonable to expect that hosts should only
identify themselves with one constant string. Do others concur, or know of any
other place where the consistency of HELO/EHLO arguments is discussed?

If any one would like to test this patch, please email me off list.

Cheers,

Ollie
--
Oliver Cook    Systems Administrator, Claranet UK
ollie@???               +44 20 7903 3065