I think I found that doing too much blocking on the helo line caused too many
dropped emails, so I dropped only on those systems pretending to be our
ip address. While reading all the email here, I looked over my filter, and
found I'd left logging turned on for a helo with no period in it. I must have
been looking into the helo blocking with the mind set of "only domains
and IP's allowed, therefore everything without a . in it must be bad" (not
sure if the logic is correct, which is probably why I left it alone ;-)
I also looked at checking the hostip in filter_sender with the IP passed
in the helo.
(I think I got this from somewhere else, sorry for the reproduction):
if ($helo =~ /^\[?(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\]?$/
and $1 ne $hostip) {
Since I keep 30 days of logs, I thought I'd see what it turns up;
out of 78963 emails,
6246 tripped the no-dots.
2923 tripped the hostip != helo
1752 tripped the local-helo (our domain from external)
6 tripped the "forged AOL"
That last one seems to be a waste of programming, this was something I
wanted to test after reading:
http://postmaster.aol.com/faq/mailerfaq.html#syntax
which came out as:
if ($sender =~ /[EMAIL PROTECTED]/ && $sender ne '[EMAIL PROTECTED]'
&& $sender !~ /^[a-z][a-z0-9]{2,[EMAIL PROTECTED]/) {
But the effort of checking just to catch 6 of 78000 emails, doesn't seem
worth it.
I started to look at the no-dots logs, and there are some that look like:
IP, helo
218.238.171.96,q8yCOr
218.238.171.96,FMlje4vD
218.238.171.96,WHb7br2w
and within the same minute.
Is it likely the same IP would email multiple times, using random helo's?
I suppose it could be a NAT'd connection, and some firewall altering
the helo headers on the fly.
Also I've seen;
221.208.147.6,-1208586384
And at least half of the entries are the numerical field (both negative,
and positive, but the numbers dont repeat). Perhaps a spam program's htons
has broken, or something. I think I might look into blocking localhost,
for all external IP's, but it only accounts for 540 emails.
-Paul
--
Paul Whittney ArriveTech, Inc.
Network Specialist / Systems Engineer / |670 West 36th Street,
/--|Erie, PA, 16508, USA
PWhittney [at] arrivetech.com (Main) / |www.arrivetech.com
PWhittney [at] net.arrivetech.com (Aux) / |Tel: 814 868 3306
_______________________________________________
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID. You may ignore it.
Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list [email protected]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
