Re: [exim] Spam with IP like HELO

Top Page
Delete this message
Reply to this message
Author: Kjetil Torgrim Homme
Date:  
To: Renaud Allard
CC: exim users
Subject: Re: [exim] Spam with IP like HELO
On Thu, 2007-05-03 at 00:46 +0200, Renaud Allard wrote:
> I am receiving a bunch of stock spams (mostly in german). Their common
> property seems to be a helo like [ip.add.re.ss].
> I am thinking about an ACL like this one:
>         warn
>         condition       = ${if
> match{$sender_helo_name}{\N(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[0
> 1]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\N}{yes}{no}}
>         set acl_c1      = IP in HELO
>         set acl_c0      = Please set up a meaningful name in your HELO
> (i.e. not containing an IP).

>
>
> (with acl_c1 and acl_c0 set, the mail is rejected after rcpt in my config)
>
> What do you think? An IP between [] delimiters is "legal" in rfc2821,
> however I don't think many legit servers are using this kind of
> configuration.


I think it's a bit funny to accept "HELO foo.com" but reject a valid IP
literal. however, if there is a mismatch between the HELO literal and
$sender_host_address, junking it is quite legitimate, IMO.

--
Kjetil T.