Ron,
On Mon, Apr 04, 2005 at 12:01:31PM +0100, Ron McKeating wrote:
> We have a complain because we rejected an email that looked like a
> forged hello, here is our log entry
>
> 2005-04-02 16:02:44 H=mail1.gov.im (KEWAIGUE.mailsec) [217.23.170.232]
> rejected EHLO or HELO kewaigue.mailsec: Forged HELO: constructed by
> viruses KEWAIGUE.mailsec
>
> the acl we use to check for this is
>
> # Hacked HELO (DOMAIN.com) (constructed by viruses)
>
> drop condition = ${if match \
> {$sender_helo_name}{\N^[A-Z0-9]+\.[a-z]+$
> \N}{yes}{no}} condition = ${if match \
> {$sender_helo_name}{\N^[0-9]+\.[a-z]+$
> \N}{no}{yes}}
> message = Hacked HELO: you are not $sender_helo_name
> log_message = Forged HELO: constructed by viruses
> $sender_helo_name
>
>
> The user says they have no trouble sending to other sites, we say they
> should set their server up with a proper hello name.
>
> Are we being too harsh ?
Hmmm, there are legitimate domains that only have two components. I
would be quite worried about blocking, say, a server that declares
itself as SLASHDOT.org, because that could be correct (the domain is not
case sensitive, only the local-part can be). Agreed, most servers would
just say slashdot.org or mailservername.slashdot.org instead.
I would be more inclined to block /^[^\.]+$/, and did try that when I
started sorting the spam stuff here, but there seem to be far too many
(wrongly configured) clients out there that seem legitimate. Sadly.
I did, however, block localhost.localdomain. That catches up to 100 bad
messages a day. Also block the FQDNs and IPs of my servers; that catches
on average 30,000 connections a day! Well worth doing. I didn't believe
the spammers would be so thick.
In your case I would just about agree with you, not because the HELO
name is CAPS.small, but because the name that they say isn't a correct
FQDN.
Matthew
--
Matthew Newton <mcn4@???>
UNIX and e-mail Systems Administrator, Network Support Section,
Computer Centre, University of Leicester,
Leicester LE1 7RH, United Kingdom
