Paul <paul@???> wrote:
> Hi all,
>
> We recently had a large flood of email bomb our server and it all
> appears to be big spam floods from random sources.
> The majority of if that I can see anyway seems to be faking its
> source as our server's IP address, See below
>
> 2004-08-18 14:24:48 1BxI0B-000748-00 <=
> JUBCBEXT@??? H=(our.ip.address.here)
> [random.spammer.IP.here] P=smtp S=1668 id=bonyalqj@???
>
> It looks like they fake the HELO as our own IP address and do a big
> bunch of RCPT to's for lots of our users.
> Can we block this type of email on a global scale in our exim
> configuration? Is this something considered safe and a good approach?
> I can't see our server legitimately emailing itself and using it's
> own IP as the HELO and not as the source IP in the email.
> In the above cases the HELO or H= IP is always our IP and the source
> is their random IP
HELOing as your IP is a very common spam sign, and you can be completely
confident in blocking it. In fact, HELO as *any* bare IP is invalid and can
be blocked - with a small risk of false positives with misconfigured mailers
(some here would say that's not a FP, that's another debate).
Here's my ACL extract for this:
deny message = Your server announces itself \
($sender_helo_name) with a bare \
IP address which is in breach of RFC2821.
log_message = HELO with bare IP : $sender_helo_name
condition = ${if match {$sender_helo_name}\
{^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+\$}\
{yes}{no}}
(which was borrowed from an earlier list posting - due credit to {insert
name here})
David Woodhouse posted a link yesterday to his HELO checking fragment
http://www.infradead.org/~dwmw2/eximconf/include/acl-helo
which does some more clever things. But the basic rule above will get rid of
the ones you're seeing in short order. The next most useful is a check
against HELOing with your domain name(s), which is only ever genuine when
you're acting as MSA for clients using odd mailers. You can use a generic
ACL for this and maintain a file of bad things - the first snippet in
David's example does this.
Do remember to put this in the RCPT acl, not the HELO acl as the spamware
concerned may not react as you hope if you reject at HELO time.
Peter