Re: [exim] Spam with IP like HELO

Top Page
Delete this message
Reply to this message
Author: Ted Cooper
Date:  
To: exim-users
Subject: Re: [exim] Spam with IP like HELO
Kjetil Torgrim Homme wrote:
> On Thu, 2007-05-03 at 10:29 +1000, Ted Cooper wrote:
>> Exim has a function to figure out if something is an IP address without
>> all the regex
>>
>>   # Deny RAW IP addresses - they MUST be quoted to comply with standards
>>   deny    message       = ERRMSG_RAWIP1
>>           condition     =
>> ${lookup{$sender_host_address}iplsearch{/etc/exim/bwlists/helo_rawip_ok}{no}{yes}}
>>           condition     = ${if isip{$sender_helo_name}{true}{false}}

>
> that won't work:
>
> $ exim -be '${if isip{10.0.0.1}}'
> true
> $ exim -be '${if isip{[10.0.0.1]}}'
> <nothing>


Wasn't quite the point of the ACL. As I pointed out later on, I allow
[10.0.0.1] as a HELO. It's in the RFC as being perfectly valid :)

The ACL's you provided below look pretty good if ever I decide that even
a quoted IP address should be played with.

> so you need to get rid of the brackets, first. here's a snippet from my
> config (written before the {true}{false} bit of ${if became optional):
>
>   accept  condition  = ${if and {{match {$sender_helo_name}\
>                                         {\N^\[(.+)\]$\N}}\
>                                  {isip4 {$1}}}\
>                             {true}{false}}

>
>   accept  condition  = ${if and {{match {$sender_helo_name}\
>                                         {\N^(?i)\[IPv6:(.+)\]$\N}}\
>                                  {isip6 {$1}}}\
>                             {true}{false}}

>
> (note the need to use isip4 and isip6 separately to do this accurately)
>
> too achieve the effect I suggested, duplicate the stanzas like so:
>
>   accept  condition  = ${if and {{match {$sender_helo_name}\
>                                         {\N^\[(.+)\]$\N}}\
>                                  {isip4 {$1}}}\
>                                  {eq {$1}{$sender_host_address}}}

>
>   deny    condition  = ${if and {{match {$sender_helo_name}\
>                                         {\N^\[(.+)\]$\N}}\
>                                  {isip4 {$1}}}}

>
> for the pedantic: this may fail for IPv6 since the HELO address
> provided by the client may not be canonicalised, and as far as I can
> tell, Exim doesn't have a function to test two IP addresses for
> equality. actually, the same is true for IPv4, but it is less common to
> use something like 127.000.000.001. note also that a leading zero
> traditionally signifies octal, but that is specifically not the case
> here!
>
>> I don't junk [qu.o.t.ed] IP addresses though as there is the possibility
>> they are legit :/ Looking at the logs though 100% are spams, and so far
>> they've all been rejected for other reasons.
>
> I had a look at our logs, there were a few unauthenticated occurences of
> this. some looked like misconfigured MUA (Thunderbird?) which uses our
> server as a smarthost -- those users will only be able to send e-mail to
> our users (their colleagues), but some people never notice that. I
> don't think rejecting with a weird HELO error would help them to realise
> what the problem is :-)
>
> I also found one server which used HELO for its NATed address
> (produktregisteret.no if anyone wonders).
>
> overall the number of messages triggering rules related to this is
> miniscule. I counted 89 messages out of 526886 reaching DATA, and only
> one of them was a spam with SpamAssassin score < 4.
>
>> I'm also dropping HELO's that arn't authenticated/local that give me a
>> single word as helo, ie no dot. And a few other million things.
>> condition     = ${if match{$sender_helo_name}{\\.}{no}{yes}}

>
> yes, this is very effective.


With 526886 messages reaching SA, I'd say your setup is just a little
bigger than my little collection of servers ;) I think I see about 1000
messages a day over 8 servers :P It means I can be quite evil about
what I accept and reject.

--
What's the point of having a manual if no one reads it?