Re: [exim] HELO verification

David Saez Padros Thu, 23 Mar 2006 08:56:01 -0800

Hi !!

I'm looking for another way of knocking down spam. I've got the usualHELO/EHLO verification tests - rejecting a bare IP or someone claimingto be my domain.
However, more of the spam getting through has a HELO/EHLO namecontaining a random string of characters.


we use that rules with success:

  # Tipical unexistant domains

  deny    condition     = ${if match {$sender_helo_name}\
                          {(backup\.lst|localhost|system\.mail)}}
          message       = Bad HELO: $sender_helo_name does not exist\n\
                          Please see RFC 2821 section 4.1.1.1

  # Usual forged HELO's

  deny    condition     = ${if match {$sender_helo_name}\
        {^(gmail\.com|msn\.com|yahoogroups\.com|aol\.com)\$}}
          message       = Forged HELO: you are not $sender_helo_name

  # Hacked HELO (DOMAIN.com) (constructed by viruses)

  deny    condition     = ${if match \
        {$sender_helo_name}{\N^[A-Z]+[A-Z0-9\-]+\.[a-z0-9]+$\N}}
          message       = Hacked HELO: you are not $sender_helo_name

  # Hacked HELO (random domain names) (constructed by viruses)

  deny    condition     = ${if match {$sender_helo_name}{smtp}{no}{yes}}
          condition     = ${if match {$sender_helo_name}\
                          {\N^[a-z0-9]+\.[a-z]+$\N}}
          condition     = ${if match {$sender_helo_name}\
                          {\N.*[bcdfghjklmnpqrstvwxz]{7,}.*\.[a-z]+$\N}}

Also if $sender_helo_name does not resolve the following rules catch
a lot of spam:

  deny    condition      = ${if match \
                {$sender_helo_name}{\N^[A-Z0-9\-]+\.[a-z0-9]+\N}}
          message        = $sender_helo_name does not exist

  deny    condition      = ${if match \
                {$sender_helo_name}{\N^[a-z0-9\-]+\.[a-z0-9]+\.\
                (comcast\.net|ameritech\.net|optonline\.net|\
                verizon\.net|cox\.net|rr\.com|adelphia\.net)$\N}}
          message        = $sender_helo_name does not exist

 deny    condition     = ${if match {$sender_helo_name}{^yahoo\.}}
          message       = Forged HELO: you are not $sender_helo_name

with more dns queries:

  deny    condition      = ${if match{$sender_helo_name}\
                           {^[a-z0-9\\-]+\\.(com|net|org)\$}}
          condition      = ${lookup \
                            dnsdb{defer_never,ns=$sender_helo_name}\
                           {no}{yes}}
          message        = $sender_helo_name does not exist

--
Best regards ...

----------------------------------------------------------------
   David Saez Padros                http://www.ols.es
   On-Line Services 2000 S.L.       e-mail  [EMAIL PROTECTED]
   Pintor Vayreda 1                 telf    +34 902 50 29 75
   08184 Palau-Solita i Plegamans   movil   +34 670 35 27 53
----------------------------------------------------------------



--

## List details at http://www.exim.org/mailman/listinfo/exim-users## Exim details at http://www.exim.org/

## Please use the Wiki with this list - http://www.exim.org/eximwiki/

Re: [exim] HELO verification

Reply via email to