Renaud Allard wrote:
> I am receiving a bunch of stock spams (mostly in german). Their common
> property seems to be a helo like [ip.add.re.ss].
> I am thinking about an ACL like this one:
> warn
> condition = ${if
> match{$sender_helo_name}{\N(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[0
> 1]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\N}{yes}{no}}
> set acl_c1 = IP in HELO
> set acl_c0 = Please set up a meaningful name in your HELO
> (i.e. not containing an IP).
>
>
> (with acl_c1 and acl_c0 set, the mail is rejected after rcpt in my config)
>
> What do you think? An IP between [] delimiters is "legal" in rfc2821,
> however I don't think many legit servers are using this kind of
> configuration.
We tried this at the begging of April (because we noticed a lot of
zombies using this practice) and quickly found out that there a quite a
few hosts that HELO/EHLO like this:
"mail.example.com [169.2.0.1]"
So at a minimum you'll want to put your regex between an ^ and a $
Here's what we used, but we found that it caused way to many false
positives for us to keep it as an absolute drop/reject. Though that
could very well just be bad luck from who our customers communicate with.
# Deny HELO/EHLO in Ip literal format eg '[10.1.1.1]'
drop log_message = Rejected, HELO/EHLO is IP literal
message = Connection denied please HELO/EHLO with a FQDN
condition = ${if match{$sender_helo_name}\
{\N^\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\]$\N}\
{true}{false}}
