On Fri, 9 Jun 2006, list1 wrote:
> From: list1 <list1@???>
> To: exim-users@???
> Date: Fri, 09 Jun 2006 15:50:06 +0000
> Subject: [exim] Deny crappy HELO
>
> I'd like to reject some spam based on HELO, but they are always
> changing and i't difficult to set up a regex match.
>
> Received: from [88.155.132.225] (helo=ELAD)
> Received: from [89.48.167.77] (helo=familie-f79sok3)
> Received: from [74.134.154.185] (helo=YOUR-XHTR8HVC4P)
> Received: from [88.233.131.233] (helo=MAHMUT-5PWGUGKA)
> Received: from [89.56.177.0] (helo=ina-vdadf88p3oh)
>
> In the above examples the only the thing that is in common, that
> none of them have any "." in the HELO. Is there a way to find them
> with regex?
Something like:
deny message = Rejected because of unacceptable syntax in \
HELO/EHLO name:\n\
$sender_helo_name\n\
This is commonly associated with misconfigured \
mail software;\n\
see RFC2821 section 4.1.2 for legal domain syntax.
log_message = invalid HELO syntax $sender_helo_name
condition = ${if ! match {$sender_helo_name}{\N^[^.].*\.[^.]+$\N}}
should do it.
You might also like to reject a few others indicating a suspect host,
eg hosts thinking they're called "localhost.localdomain".
--
Dennis Davis, BUCS, University of Bath, Bath, BA2 7AY, UK
D.H.Davis@??? Phone: +44 1225 386101
