[Mimedefang] Caught my first HELO impersonator
David F. Skoll
dfs at roaringpenguin.com
Sat Aug 17 23:26:01 EDT 2002
Thanks to Jim McCullars, who in
http://lists.roaringpenguin.com/pipermail/mimedefang/2002-August/001949.html
suggested adding access to the HELO string, I've caught my first
"I'm you" spam impersonator. :-)
I added this to filter_relay:
sub filter_relay {
my($hostip, $hostname, $helo) = @_;
# Can't be "roaringpenguin.com" unless it's one of our IP's.
if ($helo =~ /roaringpenguin\.com/i) {
if ($hostip ne "127.0.0.1" and $hostip ne "216.191.236.23" and
$hostip ne "216.191.236.30" and $hostip ne "209.217.122.117") {
syslog('info', "Host $hostip said HELO $helo");
return(0, "Go away. $hostip is not a roaringpenguin.com machine");
}
}
return (1, "OK");
}
And I found this in maillog:
Aug 16 17:39:02 www Host 61.230.103.17 said HELO roaringpenguin.com
Aug 16 17:39:04 www Host 61.230.103.17 said HELO roaringpenguin.com
:-) Great suggestion.
--
David.
More information about the MIMEDefang
mailing list