> From: Sebastian Arcus
> drop message = Invalid HELO/EHLO
> condition = ${if eq{$received_port}{25}}
> condition = ${if match{$sender_helo_name}{.+\\\..+\\\..+} \
> {no}{yes}}
Some legitimate senders can have hostname and HELO with one dot
like example.com
I block EHLO ylmf-pc (a signature of Cutwail/Pushdo bot) at first sight:
WARNTO = abuse@???
# change this to your email address
SHELL = /bin/sh
IPNOTIF = echo Subject: blocked $sender_host_address $dnslist_text \
${sg{${lookup dnsdb{>, defer_never,ptr=$sender_host_address}}}{\N[^\w.,-]\N}{}}; \
echo; echo for bruteforce auth cracking attempt.;
begin acl
acl_check_helo:
drop message = Cutwail/PushDo bot blacklisted
condition = ${if eq{$sender_helo_name}{ylmf-pc}}
acl = setdnslisttext
continue = ${run{SHELL -c "echo $sender_host_address \
>>$spool_directory/blocked_IPs; \
\N{\N IPNOTIF \N}\N | $exim_path -f root WARNTO"}}
# if this bot is dropped at helo, it repeats multiple times,
# but if dropped at connect, it tries only twice
accept
setdnslisttext:
accept dnslists = zz.countries.nerd.dk
accept
acl_check_connect:
drop message = $sender_host_address locally blacklisted for a bruteforce \
auth (username+password) cracking attempt
condition = ${if exists{$spool_directory/blocked_IPs}}
condition = ${lookup{$sender_host_address}iplsearch\
{/var/..$spool_directory/blocked_IPs}{1}{0}}
# Another path to the same file in order to circumvent lookup caching.
accept
