Re: [exim] HELO verification

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Jakob Hirsch
Date:  
À: Jerry Stuckle
CC: exim-users
Sujet: Re: [exim] HELO verification
Quoting Jerry Stuckle:

> However, more of the spam getting through has a HELO/EHLO name
> containing a random string of characters.


Most spam here has ehlo/helo
- numeric only (like 134965176 or -1270794688)
- unqualified (like "friend" or "localhost")
- IP address without []

condition = ${if isip {$sender_helo_name}}
and
condition = ${if match {$sender_helo_name} {\N^[^.:]+$\N}}
blocks these things here.

> So I'd like to check for basically anything which has one or more
> periods non-consecutive periods. Also, following the last period should
> be two to four (or is it 5? I don't remember offhand all the
> possibilities) characters.


Longest I know of is .museum, so it's 6.

To check this, you could use something like

condition = ${if !match {$sender_helo_name}
{\N^([a-z0-9][-_a-z0-9]*\.)+[a-z]{2,6}$\N}}

But there are certainly more complete regexes on the web,
"bla-.example.com" is also not valid AFAIK.
I don't think it'll catch much spam, though.

> So the above two would work, but something like "asderg" or "14509284"
> would not. Neither would "sdfkeoi.llsowwg".


Do you have much of the "aaaa.bbbbbbbb"?

fo89vfu4.pco6jp4.adelphia.net (real example) is also gibberish, but it's
not obvious.

> On a similar topic - I'm considering rejecting mail from certain country
> TLD's which would never send mail. Not to mention any names, but I get
> a fair amount from .cn, .pl, .br and a few others. How could I reject
> mail based on a list of TLD's?


cn, pl and br never send mail? That's not true.
And are absolutely really sure you'll and/or your clients will never
have business with them? Anyway, I think it's absolutely wrong to block
whole countries.