Renaud Allard wrote:
> Hi,
>
> I am receiving a bunch of stock spams (mostly in german). Their common
> property seems to be a helo like [ip.add.re.ss].
> I am thinking about an ACL like this one:
> warn
> condition = ${if
> match{$sender_helo_name}{\N(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[0
> 1]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\N}{yes}{no}}
> set acl_c1 = IP in HELO
> set acl_c0 = Please set up a meaningful name in your HELO
> (i.e. not containing an IP).
>
>
> (with acl_c1 and acl_c0 set, the mail is rejected after rcpt in my config)
>
> What do you think? An IP between [] delimiters is "legal" in rfc2821,
> however I don't think many legit servers are using this kind of
> configuration.
Exim has a function to figure out if something is an IP address without
all the regex
# Deny RAW IP addresses - they MUST be quoted to comply with standards
deny message = ERRMSG_RAWIP1
condition =
${lookup{$sender_host_address}iplsearch{/etc/exim/bwlists/helo_rawip_ok}{no}{yes}}
condition = ${if isip{$sender_helo_name}{true}{false}}
I don't junk [qu.o.t.ed] IP addresses though as there is the possibility
they are legit :/ Looking at the logs though 100% are spams, and so far
they've all been rejected for other reasons.
I'm also dropping HELO's that arn't authenticated/local that give me a
single word as helo, ie no dot. And a few other million things.
condition = ${if match{$sender_helo_name}{\\.}{no}{yes}}
Ted.
--
What's the point of having a manual if no one reads it?
