[IMGate] an ip as helo hostname

[Len Conrad]

A lot of spammers and some messed up legit server sends your MX's IP as 
their HELO hostname, or send their or some other IP as HELO hostname.

I suggest you look at the situation on your box with this as your last 
restriction (always do this to see what gets past all your other filters):

smtpd_recipient_restrictions =
  .
  .
  .
  warn_if_reject pcre:/etc/postfix/helo_hostames_bw.regexp,
  permit

and helo_hostames_bw.regexp contains just one line:

/[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/ 554 ACL helo_hostnames_regexp

The regex for a dotted quad label is digits 0-9, in a group of 1 to 3 
digits, in 4 groups, separated by "."

That will catch any dotted quad IP in helo hostname, either naked or 
embedded in other text, such as when spammers send a subscriber-network PTR 
hostname as helo hostname.

If you want to block only naked IPs, use the BOL and/or EOL anchors:

/^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$/ 554 ACL 
helo_hostnames_regexp

This is an extension of Bill Landry's and my suggestion last week, which 
was for blocking helo containing your MX's own IP.  The above  blocks for 
ANY IP, since IP is Helo is invalid.

In just the first hour of Wednesday:

%less /var/tmp/spam-stats.rpt
       1 ACL RAV: unverifiable recipient address
       1 ACL [EMAIL PROTECTED]
       4 ACL from_senders_black
       4 ACL mta_clients_sav
       4 ACL from_senders_secsag
       6 SMTP Exceeded Hard Error Limit after MAIL
       6 ACL mta_clients_regex
       7 ACL mta_clients_black
       7 ACL from_senders_slet
       9 SMTP Exceeded Hard Error Limit after END-OF-MESSAGE
       9 ACL RAV: new verification
      16 ACL body checks
      19 ACL mta_clients_spamdomins
      20 ACL bogon network header
      21 DNS no A/MX for @recipient.domain
      23 ACL mta_clients_subscriber network
      26 ACL from_senders_regexp
      26 ACL from_senders_bw
      38 DNS timeout for MTA PTR hostname (forged @sender.domain)
      45 ACL mta_clients_conn
      46 ACL mta_clients_helo
      58 ACL header checks
      60 ACL helo hostname contains an IP   <<<<<<<<<<<<<
      67 DNS no A/MX for @sender.domain
     101 DNS nxdomain for MTA PTR hostname (forged @sender.domain)
     109 ACL from_senders_imgfx
     126 ACL SAV: undeliverable sender address
     126 ACL unqualified helo hostname
     153 ACL SAV: new verification in progress
     189 ACL helo hostname = my IP          <<<<<<<<<<<<<<
     261 RBL spamdomains.blackholes.easynet.nl
     453 ACL SAV: unverifiable sender address
     657 ACL RAV: undeliverable recipient address
     685 ACL subscriber network
     690 SMTP Exceeded Hard Error Limit after DATA
     714 ACL mta_clients_dict
     965 SMTP Exceeded Hard Error Limit after RCPT
    1507 ACL mta_clients_bw

    7259 TOTAL

amazing, huh?

Len