Re: [exim] Exim rejects: syntactically invalid argument

Top Page
Delete this message
Reply to this message
Author: Marc Sherman
Date:  
To: exim-users
Subject: Re: [exim] Exim rejects: syntactically invalid argument
On Wednesday 28 September 2005 11:14, Tony Finch wrote:
>
>
>>There are plenty of other things that turn up in HELO hostnames which
>>*are* an accurate indicator of evil behaviour.


Adam Funk wrote:
>
> I have to ask: what do the malefactors expect to accomplish by sending
> helo strings that violate such tests (which I think are well-known)?


Adding these HELO checks to my ACLs has been on my todo list for a
while. This thread got me interested in them again, so I did a quick
search of my mainlog to find how many messages I was getting from hosts
saying HELO as projectile.ca.

# exigrep "H=.*" mainlog* | grep -v "^$" | wc -l
9408
# exigrep "H=[^=]*\([^)]*projectile\.ca\)" mainlog* | grep -v "^$" | wc -l
29
# exigrep ".{6}-.{6}-.{2} H=[^=]*\([^)]*projectile\.ca\)" mainlog* |
grep -v "^$" | wc -l
2

So out of 9408 HELO entries in my logs, 29 were bogus projectile.ca
hosts, and of those, only 2 made it as far as the DATA acl to get a
message ID assigned. The other 27 were mostly rejected by recipient or
sender verification (without callouts) in the RCPT acl. The 2 that made
it to the DATA acl were both promptly rejected by clamav; none were
actually scanned by spamassassin, or delivered.

So I guess I don't need to rush to add HELO checks to my acls, after all.

- Marc