[exim] Spam with IP like HELO

Top Page
Delete this message
Reply to this message
Author: Renaud Allard
Date:  
To: exim users
Subject: [exim] Spam with IP like HELO
Hi,

I am receiving a bunch of stock spams (mostly in german). Their common
property seems to be a helo like [ip.add.re.ss].
I am thinking about an ACL like this one:
        warn
        condition       = ${if
match{$sender_helo_name}{\N(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[0
1]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\N}{yes}{no}}
        set acl_c1      = IP in HELO
        set acl_c0      = Please set up a meaningful name in your HELO
(i.e. not containing an IP).



(with acl_c1 and acl_c0 set, the mail is rejected after rcpt in my config)

What do you think? An IP between [] delimiters is "legal" in rfc2821,
however I don't think many legit servers are using this kind of
configuration.


--
010100100110010101101110011000010111010101100100
010000010110110001101100011000010111001001100100