Re: [exim] Are we being harsh

Top Page
Delete this message
Reply to this message
Author: Matthew Newton
Date:  
To: Ron McKeating
CC: Exim-Users \(E-mail\)
Subject: Re: [exim] Are we being harsh
Ron,

On Mon, Apr 04, 2005 at 12:01:31PM +0100, Ron McKeating wrote:
> We have a complain because we rejected an email that looked like a
> forged hello, here is our log entry
>
> 2005-04-02 16:02:44 H=mail1.gov.im (KEWAIGUE.mailsec) [217.23.170.232]
> rejected EHLO or HELO kewaigue.mailsec: Forged HELO: constructed by
> viruses KEWAIGUE.mailsec
>
> the acl we use to check for this is
>
> # Hacked HELO (DOMAIN.com) (constructed by viruses)
>
>   drop    condition     = ${if match \
>                           {$sender_helo_name}{\N^[A-Z0-9]+\.[a-z]+$
> \N}{yes}{no}}          condition     = ${if match \
>                           {$sender_helo_name}{\N^[0-9]+\.[a-z]+$
> \N}{no}{yes}}
>           message       = Hacked HELO: you are not $sender_helo_name
>           log_message   = Forged HELO: constructed by viruses
> $sender_helo_name

>
>
> The user says they have no trouble sending to other sites, we say they
> should set their server up with a proper hello name.
>
> Are we being too harsh ?


Hmmm, there are legitimate domains that only have two components. I
would be quite worried about blocking, say, a server that declares
itself as SLASHDOT.org, because that could be correct (the domain is not
case sensitive, only the local-part can be). Agreed, most servers would
just say slashdot.org or mailservername.slashdot.org instead.

I would be more inclined to block /^[^\.]+$/, and did try that when I
started sorting the spam stuff here, but there seem to be far too many
(wrongly configured) clients out there that seem legitimate. Sadly.

I did, however, block localhost.localdomain. That catches up to 100 bad
messages a day. Also block the FQDNs and IPs of my servers; that catches
on average 30,000 connections a day! Well worth doing. I didn't believe
the spammers would be so thick.

In your case I would just about agree with you, not because the HELO
name is CAPS.small, but because the name that they say isn't a correct
FQDN.

Matthew


--
Matthew Newton <mcn4@???>

UNIX and e-mail Systems Administrator, Network Support Section,
Computer Centre, University of Leicester,
Leicester LE1 7RH, United Kingdom