Re: [exim] Deny crappy HELO

Top Page
Delete this message
Reply to this message
Author: Dennis Davis
Date:  
To: exim-users
Subject: Re: [exim] Deny crappy HELO
On Fri, 9 Jun 2006, list1 wrote:

> From: list1 <list1@???>
> To: exim-users@???
> Date: Fri, 09 Jun 2006 15:50:06 +0000
> Subject: [exim] Deny crappy HELO
>
> I'd like to reject some spam based on HELO, but they are always   
> changing and i't difficult to set up a regex match.               

>
> Received: from [88.155.132.225] (helo=ELAD)
> Received: from [89.48.167.77] (helo=familie-f79sok3)
> Received: from [74.134.154.185] (helo=YOUR-XHTR8HVC4P)
> Received: from [88.233.131.233] (helo=MAHMUT-5PWGUGKA)
> Received: from [89.56.177.0] (helo=ina-vdadf88p3oh)
>
> In the above examples the only the thing that is in common, that
> none of them have any "." in the HELO. Is there a way to find them
> with regex?


Something like:

  deny    message = Rejected because of unacceptable syntax in \
                    HELO/EHLO name:\n\
                    $sender_helo_name\n\
                    This is commonly associated with misconfigured \
                    mail software;\n\
                    see RFC2821 section 4.1.2 for legal domain syntax.
          log_message = invalid HELO syntax $sender_helo_name
          condition = ${if ! match {$sender_helo_name}{\N^[^.].*\.[^.]+$\N}}


should do it.

You might also like to reject a few others indicating a suspect host,
eg hosts thinking they're called "localhost.localdomain".
-- 
Dennis Davis, BUCS, University of Bath, Bath, BA2 7AY, UK
D.H.Davis@???               Phone: +44 1225 386101