On 2006-03-09 at 09:30 +0500, Viktor Vislobokov wrote:
> Some spam hosts send MY IP address (xxx.xxx.xxx.xxx) in HELLO. See
> following line:
>
> 2006-03-07 16:00:57 H=(xxx.xxx.xxx.xxx) [61.109.9.90]
> F=<info@???> rejected RCPT <user@???>: Unknown user
>
> How can I check HELLO and reject these hosts?
Lots of ways. If you define an ACL for HELO though, you can tell Exim
to wait before replying, to slow down the remote side. This is not good
for really large sites, but for smaller sites it's reasonable and can
reduce the damage if the remote side is trying repeatedly, every time it
can connect, to abuse your system.
I'll provide a basic version, and then an alteration which is better if
your system is behind a NAT gateway.
The idea is to accept connections which really are from localhost, then
reject those we don't like, then accept by default. The first rejection
handles some names we don't want to see, the second handles your local
IP address.
You can set helo_not_remote here to anything you want. You can put in a
file lookup (see spec.txt and look for domainlist, to see how they're
defined). At a minimum, you want "localhost" in there, for all those
systems which insist on saying "HELO localhost".
----------------------------8< cut here >8------------------------------
# These may not be provided as a HELO parameter from a remote system:
domainlist helo_not_remote = example.org : example.net : localhost
acl_smtp_helo = acl_check_helo
# ...
begin acl
acl_check_helo:
accept hosts = @[] : @
endpass
deny condition = ${if match_domain{${lc:$smtp_command_argument}}\
{+helo_not_remote}{yes}{no}}
message = You are not me, please do not claim to be.
delay = 15s
deny condition = ${if eq{$smtp_command_argument}{$interface_address}\
{yes}{no}}
message = How can you possibly have my IP address?
delay = 30s
accept
----------------------------8< cut here >8------------------------------
This one only blocks the IP address which is the connected-to IP
address, which works well for most things but isn't great when there are
multiple IP addresses. It also falls down when you have a NAT gateway
which forwards incoming port-25 connections to your Exim server.
So here, I deal with the fact that my ISP provides normally static IP
addresses with a fixed hostname; but I'm on DSL so they may sometimes be
forced to renumber me and I don't want to change my mail config every
time they do. I have a local DNS cache, so it's cheap to lookup my
public IP address for every connection received.
In the main section, define a hostlist which has IP addresses; the @[]
is an Exim thing meaning "all the IP addresses which I'm listening on".
Exim by default accepts connections on any interface, so this is "all
the local interfaces" and includes 127.0.0.1:
----------------------------8< cut here >8------------------------------
# We're NAT'd, we may be presented with the IP address that's being
# NAT'd, so
# as well as blocking @[], we'll want to handle that one.
hostlist my_ip_addresses = @[] : ${lookup dnsdb{>: a=spodhuis.demon.nl}}
----------------------------8< cut here >8------------------------------
If my ISP provided IPv6 natively over DSL, I'd also put an AAAA lookup
in there; as it is, I use a tunnel for that, so the IP address is
available in @[] for me.
Then change the second deny in acl_check_helo from looking at
$interface_address to be this instead:
----------------------------8< cut here >8------------------------------
deny condition = ${if and{\
{isip{$smtp_command_argument}}\
{match_ip{$smtp_command_argument}{+my_ip_addresses}}\
} {yes}{no}}
message = How can you possibly have my IP address?
delay = 30s
----------------------------8< cut here >8------------------------------
This checks that the HELO parameter looks like an IP address and, if it
does, matches it against the IP hostlist my_ip_addresses.
Regards,
-Phil