Re: [exim] Spam with IP like HELO

Pàgina inicial
Delete this message
Reply to this message
Autor: Kjetil Torgrim Homme
Data:  
A: Ted Cooper
CC: exim users
Assumpte: Re: [exim] Spam with IP like HELO
On Thu, 2007-05-03 at 10:29 +1000, Ted Cooper wrote:
> Exim has a function to figure out if something is an IP address without
> all the regex
>
>   # Deny RAW IP addresses - they MUST be quoted to comply with standards
>   deny    message       = ERRMSG_RAWIP1
>           condition     =
> ${lookup{$sender_host_address}iplsearch{/etc/exim/bwlists/helo_rawip_ok}{no}{yes}}
>           condition     = ${if isip{$sender_helo_name}{true}{false}}


that won't work:

$ exim -be '${if isip{10.0.0.1}}'
true
$ exim -be '${if isip{[10.0.0.1]}}'
<nothing>

so you need to get rid of the brackets, first. here's a snippet from my
config (written before the {true}{false} bit of ${if became optional):

  accept  condition  = ${if and {{match {$sender_helo_name}\
                                        {\N^\[(.+)\]$\N}}\
                                 {isip4 {$1}}}\
                            {true}{false}}


  accept  condition  = ${if and {{match {$sender_helo_name}\
                                        {\N^(?i)\[IPv6:(.+)\]$\N}}\
                                 {isip6 {$1}}}\
                            {true}{false}}


(note the need to use isip4 and isip6 separately to do this accurately)

too achieve the effect I suggested, duplicate the stanzas like so:

  accept  condition  = ${if and {{match {$sender_helo_name}\
                                        {\N^\[(.+)\]$\N}}\
                                 {isip4 {$1}}}\
                                 {eq {$1}{$sender_host_address}}}


  deny    condition  = ${if and {{match {$sender_helo_name}\
                                        {\N^\[(.+)\]$\N}}\
                                 {isip4 {$1}}}}


for the pedantic: this may fail for IPv6 since the HELO address
provided by the client may not be canonicalised, and as far as I can
tell, Exim doesn't have a function to test two IP addresses for
equality. actually, the same is true for IPv4, but it is less common to
use something like 127.000.000.001. note also that a leading zero
traditionally signifies octal, but that is specifically not the case
here!

> I don't junk [qu.o.t.ed] IP addresses though as there is the possibility
> they are legit :/ Looking at the logs though 100% are spams, and so far
> they've all been rejected for other reasons.


I had a look at our logs, there were a few unauthenticated occurences of
this. some looked like misconfigured MUA (Thunderbird?) which uses our
server as a smarthost -- those users will only be able to send e-mail to
our users (their colleagues), but some people never notice that. I
don't think rejecting with a weird HELO error would help them to realise
what the problem is :-)

I also found one server which used HELO for its NATed address
(produktregisteret.no if anyone wonders).

overall the number of messages triggering rules related to this is
miniscule. I counted 89 messages out of 526886 reaching DATA, and only
one of them was a spam with SpamAssassin score < 4.

> I'm also dropping HELO's that arn't authenticated/local that give me a
> single word as helo, ie no dot. And a few other million things.
> condition     = ${if match{$sender_helo_name}{\\.}{no}{yes}}


yes, this is very effective.
--
Kjetil T.