John D. Hardin wrote:
> On Wed, 6 Dec 2006, Kelly Jones wrote:
>
>> Recently, someone connected our server, call it mx.xyz.com, and said
>> "HELO mx.xyz.com". Spamassassin didn't ding it for doing this.
>
> IMHO this is worthy of a 500 reject at the MTA level. There is NO
> legitimate reason for J. Random User out on the internet to claim his
> MTA is yours.
>
> I've posted milter-regex examples that do this here before.
I have the following in my EXIM Rcpt ACL:
---
# kill off the folks that use OUR ip's in HELO Nice and Early.
drop message = Forged IP detected in HELO: $sender_helo_name
hosts = !+relay_from_hosts
!authenticated = *
condition = ${if \
eq{$sender_helo_name}{$interface_address}{yes}{no}}
# Forged hostname - HELOs as my own hostname or domain (early as well)
drop message = Forged hostname detected in HELO:
$sender_helo_name
hosts = !+relay_from_hosts
!authenticated = *
condition = ${lookup {$sender_helo_name} \
lsearch{/usr/local/etc/exim/checkfiles/our_host_names}
{yes}{no}}
----
If they try and HELO/EHLO as my IP or host name, we unceremoniusly drop the
connection.
Just one other solution to this issue.
--
Larry Rosenman http://www.lerctr.org/~ler
Phone: +1 512-248-2683 E-Mail: ler@lerctr.org
US Mail: 430 Valona Loop, Round Rock, TX 78681-3893
