Re: [exim] Spam with IP like HELO

[Renaud Allard]

Kjetil Torgrim Homme wrote:
> On Thu, 2007-05-03 at 00:46 +0200, Renaud Allard wrote:
>> I am receiving a bunch of stock spams (mostly in german). Their common
>> property seems to be a helo like [ip.add.re.ss].
>> I am thinking about an ACL like this one:
>>         warn
>>         condition       = ${if
>> match{$sender_helo_name}{\N(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[0
>> 1]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\N}{yes}{no}}
>>         set acl_c1      = IP in HELO
>>         set acl_c0      = Please set up a meaningful name in your HELO
>> (i.e. not containing an IP).
>>
>>
>> (with acl_c1 and acl_c0 set, the mail is rejected after rcpt in my config)
>>
>> What do you think? An IP between [] delimiters is "legal" in rfc2821,
>> however I don't think many legit servers are using this kind of
>> configuration.
> 
> I think it's a bit funny to accept "HELO foo.com" but reject a valid IP
> literal.  however, if there is a mismatch between the HELO literal and
> $sender_host_address, junking it is quite legitimate, IMO.
> 

As mentioned the spammers will have the right literal HELO because its
their interest. I think this is just like IP literals for receiving
mails, it is mainly used for abuse.
How many people still support [EMAIL PROTECTED] nowadays?
One has to wonder.

smime.p7s
Description: S/MIME Cryptographic Signature

-- 
## List details at http://www.exim.org/mailman/listinfo/exim-users 
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://www.exim.org/eximwiki/