Hi Bob...
Nice Postfix tip. I think that this approach is a bit much for me
maintenance-wise.
What I'm looking for is a way to stop spam and viruses at the MTA level
(Postfix) so that it rejects email that is appearing to come from invalid
users on my domain. I'm assuming the first two lines of your regexp would
accomplish that?
If so, I can change those to match my needs but I think I might leave out
the last two lines since I don't have that kind of time to
whitelist/blacklist those... am I right in assuming this would accomplish
my desires?
--JM
Original message: ---
Hi,
On Tue, 30 Mar 2004 vermyndax <at> red-abstract.com wrote:
> > Note the 'HELO' name the virus used ("from pacbell.net"). The 'HELO'
> > name == recipient's domain name which is common virus behaivor.
> >
> > A large amount of viri and moderate amount of spam can be stopped cold
> > if you configure your MTA to reject messages that use your own
> > DNS-name/IP-address in their 'HELO'. (IE anybody else who claims to be
> > "me" is an imposterer who's up to no good ;).
>
> I would *love* to implement that. Can you suggest how to accomplish
> this with Postfix?
Here are four that I use in /etc/postfix/helo_access.pcre:
# Generic bad
/^(austinimprov|cynistar)\.(com|net|org)$/ 550 5.7.1 Do not
masquerade as local server. Begone.
/66\.143\.181\.([8-9]|1[0-5])/ 550 5.7.1 Do not
masquerade as local server. Begone.
/^localhost\.?/ 450 Fix your HELO to show a real hostname and try
again
/^\d+\.\d+\.\d+\.\d+$/ 450 Fix your HELO to show a real hostname and try
again
All of my hosts HELO as an actual resolvable host name, not as a bare
domain name so anything matching /^mydomains\.(com|net|org)$/ is crap.
This goes doubly for anything that HELOs with a bare IP address in my
netblock. Anything that HELOs with a bare IP address gets a temporary
error until I notice, run some checks, and manually white- or blacklist
it. Anyone with a mailserver so broken as to HELO as localhost is
tempfailed as well.
In main.cf I use:
smtpd_helo_restrictions = permit_mynetworks,
check_helo_access pcre:/etc/postfix/helo_access.pcre,
reject_invalid_hostname,
reject_non_fqdn_hostname,
reject_unknown_hostname
All manual whitelist and blacklist entries go into
/etc/postfix/helo_access.pcre
The last three restrictions (reject_invalid_hostname,
reject_non_fqdn_hostname, reject_unknown_hostname) cause me a small amount
of grief from false positives due to careless mailserver configuration;
conversely, they stop a lot of spam. I get very little traffic and I watch
my logs so I can afford to be this brutal[1]. Unless you're an 800-lb
gorilla with the patience of a Buddhist monk, you'll end up whitelisting a
number of domains whose admins are too lazy/stupid/hamstrung/arrogant to
fix their DNS and HELO announcements.
Aside: I'd love QoS for email. Either fix your DNS & HELO or you get to
talk to me at 300 baud +++
-- Bob
[1] Which IMHO is not very brutal at all. "Brutal" is dropping all traffic
from Asia, Russia, and LACNIC netspace or refusing connections based on
the SCBL.
