On Tue, 3 Feb 2004, Jack Olszewski wrote: > In the archives of this list I can't find anything on possible checks > of $helo versus $ip in filter_relay. What about finding the address of > the host given as $helo, and matching it against $ip? Would it be safe > to reject the message if they do not match? For instance (not tested > in mimedefang-filter yet):
[...] This will yield many false positives. Here is what I do: * Reject mail from outside relays who HELO as one of my domains. * Reject mail from outside relays who HELO as one of my networks, with or without brackets (e.g. "204.74.20.1" and "[204.74.20.1]") * Reject mail from outside relays who HELO as a string that isn't a domain or an address. I just check for a "." in the string. An amazing amount of ratware issues "HELO hjdjhdf" etc. I've had a few false positives where the server was just doing "HELO servername" and in all cases the admin of the sending server has corrected it. Matt -- Matthew S. Cramer <[EMAIL PROTECTED]> Office: 717-396-5032 Infrastructure Security Analyst Fax: 717-396-5590 Armstrong World Industries, Inc. Cell: 717-917-7099 _______________________________________________ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
