Re: [mhvlug] Recognizing Junk Email (was: Signature Abuse)

Mon, 05 Nov 2007 13:32:57 -0800 

On Monday 05 November 2007, Mike Kershaw wrote:
> On Mon, Nov 05, 2007 at 01:48:24PM -0500, Chris Knadle wrote:
> > On Monday 05 November 2007, Paul Chauvet wrote:
> > > In Postfix at least, you can do this with reject_non_fqdn_hostname in
> > > the smtpd_helo_restrictions.  In addition we reject a ton of spam from
> > > people who try to HELO/EHLO as our hostname or IP address.
> >
> >    Yes that also helps quite a bit.  It's also not RFC 2821 compliant to
> > send a raw IP address for a HELO/EHLO greeting, so I reject those as
> > well.  [An IP address encapsulated in brackets is okay.]  Also good to
> > reject a HELO/EHLO claiming to be from your own IP block, or which are in
> > RFC 1918 private IP address ranges.
>
> Do you do this with pcre filters?

No, yes, yes.  The latter two may be of use to you with Postfix.

Exim4 has the built-in 'isip' test for the raw IP case.

The other cases use a pcre.  Postfix seems to break these off into separate 
running processes; Exim4 handles these internally.

Below are the associated rules I have in the "acl_check_helo:" configuration 
section for Exim4.  If these rules match there's a 15 second delay (trying to 
do cheap and simple tarpitting), after which the connection is dropped.

=-=-=-=-=-=-=-=
     # Don't accept an IP address for a HELO greeting
     # 
     drop
       hosts       = !+relay_from_hosts
       condition   = ${if isip {true}{false}}
       message     = An IP address is unacceptable for a HELO greeting.\n\
                     HELO greeting must conform to RFC 2821
       log_message = $sender_host_name used raw IP address in HELO/EHLO
                     greeting
       delay       = 15s

     # Helo should not be RFC 1918 address
     #
     drop
       hosts       = !+relay_from_hosts
       condition   = ${if match\
          {\N^(\[)?(10\.[0-9]{1,3}|172\.(1[6-9]|2[0-9]|31)|\
           192\.168)\.[0-9]{1,3}\.[0-9]{1,3}(\])?$\N}\
           {yes}{no}}
       message     = RFC 1918 IP address in HELO
       log_message = $sender_host_name used RFC 1918 reserved IP in HELO
       delay       = 15s

     # A remote host using my own HELO is wrong
     # MODIFY 111.222.33.44 IP and change domain.tld to proper
     #    domain name
     #
     drop
       hosts       = !+relay_from_hosts
       condition   = ${if match\
                       {\N^((\[)?111\.222\.33\.44](\])?|\
                       (.*\.)?domain\.tld)$\N}\
                       {yes}{no}}
       message     = Forged HELO detected and logged.  Connection terminated.
       log_message = $sender_host_name forged our info
       delay      = 15s
=-=-=-=-=-=-=-=

   -- Chris

-- 

Chris Knadle
[EMAIL PROTECTED]

Attachment: signature.asc
Description: This is a digitally signed message part.

_______________________________________________
Mid-Hudson Valley Linux Users Group                  http://mhvlug.org          
   
http://mhvlug.org/cgi-bin/mailman/listinfo/mhvlug                           
Upcoming Meetings (6pm - 8pm)                         MHVLS Auditorium          
                              
  Oct 3 - Security and Privacy
  Nov 7 - Django Python Application Framework

Reply via email to