[Mimedefang] What to do w/ SPAM?
Jim McCullars
jim at info.uah.edu
Mon Sep 23 11:19:00 EDT 2002
On Sun, 22 Sep 2002, David F. Skoll wrote:
> I also use the HELO trick raised by Jim McCullars in posting
> http://lists.roaringpenguin.com/pipermail/mimedefang/2002-August/001949.html
> I find it catches 4-5 spammers per week.
There's another good use for looking at the HELO string - a forged IP
address. I've found that spammers will occasionally put in a phony IP
address (rather than just a phony name). One could be ultra-restrictive
(as I plan to be) and reject outright any mail with a HELO string that
looks like an IP address, or cut them a little slack and reject it only if
it doesn't match the real relay address.
I haven't tested this yet, but it should work:
sub filter_relay {
my($ip, $name, $helo) = @_;
#
# This would be a most restrictive check...
if ($helo =~ /^(\d{1,3})(.)(\d{1,3})(.)(\d{1,3})(.)(\d{1,3})$/) {
return (0, "Please use your host name when saying HELO")
}
#
# or maybe reject only when it's an obvious forgery...
if (($helo =~ /^(\d{1,3})(.)(\d{1,3})(.)(\d{1,3})(.)(\d{1,3})$/) &&
($ip ne $helo)) {
return (0, "Header forgery attempt, $ip claims to be $helo")
}
return (1);
}
Change the bounce message to your liking. Some may choose to let the
spammer guess why his mail was rejected. Also, thanks to the person that
posted the regular expression to check for an IP address.
Jim
*-------------------------------------------------------------------------*
* James H. McCullars I Phone: (256) 824-2610 *
* Director of Systems & Operations I Fax: (256) 824-6643 *
* Computer & Network Services I Internet: mccullj at email.uah.edu *
* The University of Alabama I -----------------------------------*
* in Huntsville I *
* Huntsville, AL 35899 I This space for rent - CHEAP! *
*-------------------------------------------------------------------------*
More information about the MIMEDefang
mailing list