On Wednesday 28 September 2005 11:14, Tony Finch wrote:
There are plenty of other things that turn up in HELO hostnames which
*are* an accurate indicator of evil behaviour.
Adam Funk wrote:
I have to ask: what do the malefactors expect to accomplish by sending
helo strings that violate such tests (which I think are well-known)?
Adding these HELO checks to my ACLs has been on my todo list for a
while. This thread got me interested in them again, so I did a quick
search of my mainlog to find how many messages I was getting from hosts
saying HELO as projectile.ca.
# exigrep "H=.*" mainlog* | grep -v "^$" | wc -l
9408
# exigrep "H=[^=]*\([^)]*projectile\.ca\)" mainlog* | grep -v "^$" | wc -l
29
# exigrep ".{6}-.{6}-.{2} H=[^=]*\([^)]*projectile\.ca\)" mainlog* |
grep -v "^$" | wc -l
2
So out of 9408 HELO entries in my logs, 29 were bogus projectile.ca
hosts, and of those, only 2 made it as far as the DATA acl to get a
message ID assigned. The other 27 were mostly rejected by recipient or
sender verification (without callouts) in the RCPT acl. The 2 that made
it to the DATA acl were both promptly rejected by clamav; none were
actually scanned by spamassassin, or delivered.
So I guess I don't need to rush to add HELO checks to my acls, after all.
- Marc
--
## List details at http://www.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://www.exim.org/eximwiki/
