Jakob Hirsch wrote:
> Bill Hacker wrote:
*SNIP*
>
> Let me check if I understand right: You check if the sender domain matches
> the helo domain? So following would invalid in your eyes?
>
> EHLO example.net
> MAIL FROM:<someone@???>
>
> If this is what you mean, you are wrong.
That is what I mean, and earns such a sender a 'demerit' of 1 point:
An outright deny/drop/discard on ONE such point would be 'wrong'.
See comments below:
# HELO_5: IF HELO verification fails THEN prep message.
# *CANNOT REJECT YET* Too many Mis-matched ID's, some of our own
included!
#
warn
condition = ${if !def:acl_c1 {true}{false}}
!verify = helo
set acl_c1 = X-HELO-Warning: Remote host $sender_host_address \
${if def:sender_host_name {($sender_helo_name) }}\
is cross-dressed as $sender_helo_name !!!
log_message = H5 $acl_c3 has mismatched ID's in HELO/EHLO greeting.
set acl_c2 = $acl_c2 Mismatched HELO=1
set acl_c5 = ${eval:$acl_c5 + 1}
But this is but one of several tests for 'good practice'.
Here is another 'soft' fail that can add to the score and eventually
become a 'hard' fail:
# FROM_6: IF FAIL sender_verify THEN prep message AND add to header.
#
warn
!verify = sender/defer_ok/callout=10s,defer_ok
set acl_c2 = $acl_c2 Sender Verify = $sender_verify_failure
$sender_address_data
set acl_c5 = ${eval:$acl_c5 + 1}
log_message = F6 $acl_c3 failed sender verify at
$sender_verify_failure for $sender_address $sender_address_data
And another (held-off until 'DATA' phase to avoid 'cost' of an external
lookup if already rejected...):
# DATA_6B: IF host rDNS lookup fails THEN warn AND flag for later NOT
delay.
#
warn
log_message = C5 $sender_host_name $sender_host_address failed rDNS
lookup with score of $acl_c5 for $acl_c2
!condition = ${if eq{$acl_m4}{0}}
!condition = +relay_from_hosts
!verify = reverse_host_lookup
message = X-DNS-Broken-Warn: rDNS lookup failed for
$Sender_host_address
set acl_c2 = $acl_c2 Missing rDNS PTR=1
set acl_c5 = ${eval:$acl_c5 + 1}
Too many such 'points' regardless of the 'mix', on the same connection
can very accurately ID a zombie or spambot, can be tested against a
global, per-domain, or per-user threshold with near-zero false alarms,
and a very much lightened load on resource-intensive SA.
We have been saving and checking the rejections since last October,
falsing is NOT a problem, and spam is miniscule.
SA catches the 'complex' ones, but such rules as above get the majority
before they ever reach it.
YMMV
>
>
>>>Well, I hope your mail system works better than your homepage...
>>
>>What homepage??
>
>
> http://www.conducive.org/
>
>
Ah! 'Cobbler's children going barefoot, as it were.... when I have time....
precisa.ch better represents our work...
Bill
