Kjetil Torgrim Homme wrote:
> On Thu, 2007-05-03 at 00:46 +0200, Renaud Allard wrote:
>> I am receiving a bunch of stock spams (mostly in german). Their common
>> property seems to be a helo like [ip.add.re.ss].
>> I am thinking about an ACL like this one:
>> warn
>> condition = ${if
>> match{$sender_helo_name}{\N(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[0
>> 1]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\N}{yes}{no}}
>> set acl_c1 = IP in HELO
>> set acl_c0 = Please set up a meaningful name in your HELO
>> (i.e. not containing an IP).
>>
>>
>> (with acl_c1 and acl_c0 set, the mail is rejected after rcpt in my config)
>>
>> What do you think? An IP between [] delimiters is "legal" in rfc2821,
>> however I don't think many legit servers are using this kind of
>> configuration.
>
> I think it's a bit funny to accept "HELO foo.com" but reject a valid IP
> literal. however, if there is a mismatch between the HELO literal and
> $sender_host_address, junking it is quite legitimate, IMO.
The irony there is, at least in our specific cases, the Spammers mostly
got the IP/HELO right, while the legitimate mail would have the
mismatching information!
Unfortunately there are still a staggering number of poorly configured
mail servers out there.
