[Mimedefang] RE: What to do w/ SPAM? (ip address regex)

Mon Sep 23 14:47:01 EDT 2002

> Date: Mon, 23 Sep 2002 10:18:03 -0500 (CDT)
> From: Jim McCullars <jim at info.uah.edu>
> To: mimedefang at lists.roaringpenguin.com
> Subject: RE: [Mimedefang] What to do w/ SPAM?
> Reply-To: mimedefang at lists.roaringpenguin.com
> 
> 
> 
> On Sun, 22 Sep 2002, David F. Skoll wrote:
> 
> > I also use the HELO trick raised by Jim McCullars in posting
> > http://lists.roaringpenguin.com/pipermail/mimedefang/2002-August/001949.html
> > I find it catches 4-5 spammers per week.
> 
>    There's another good use for looking at the HELO string - a forged IP
> address.  I've found that spammers will occasionally put in a phony IP
> address (rather than just a phony name).  One could be ultra-restrictive
> (as I plan to be) and reject outright any mail with a HELO string that
> looks like an IP address, or cut them a little slack and reject it only if
> it doesn't match the real relay address.
> 
>    I haven't tested this yet, but it should work:
> 
> sub filter_relay {
>   my($ip, $name, $helo) = @_;
> #
> #  This would be a most restrictive check...
>   if ($helo =~ /^(\d{1,3})(.)(\d{1,3})(.)(\d{1,3})(.)(\d{1,3})$/) {
>     return (0, "Please use your host name when saying HELO")
>   }
> #
> # or maybe reject only when it's an obvious forgery...
>   if (($helo =~ /^(\d{1,3})(.)(\d{1,3})(.)(\d{1,3})(.)(\d{1,3})$/) &&
>       ($ip ne $helo)) {
>       return (0, "Header forgery attempt, $ip claims to be $helo")
>   }
> return (1);
> }
> 
>    Change the bounce message to your liking.  Some may choose to let the
> spammer guess why his mail was rejected.  Also, thanks to the person that
> posted the regular expression to check for an IP address.
> 
> Jim
> *-------------------------------------------------------------------------*
> * James H. McCullars                 I Phone: (256) 824-2610              *
> * Director of Systems & Operations   I Fax:   (256) 824-6643              *
> * Computer & Network Services        I Internet: mccullj at email.uah.edu    *
> * The University of Alabama          I -----------------------------------*
> *    in Huntsville                   I                                    *
> * Huntsville, AL 35899               I This space for rent - CHEAP!       *
> *-------------------------------------------------------------------------*
> 

I've often used the regex above for matching ip's, but it's actually 
incorrect. It will also match 999.999.999.999 which is NOT a valid ip, and 
many others.

The following regexp is slower and will make your code a bit harder to 
read, but it will only mactch valid ipv4 addresses:
/^(0?0?\d|[01]?\d\d|2[0-4]\d|25[0-5])\.(0?0?\d|[01]?\d\d|2[0-4]\d|25[0-5])\.(0?0?\d|[01]?\d\d|2[0-4]\d|25[0-5])\.(0?0?\d|[01]?\d\d|2[0-4]\d|25[0-5])$/

maybe it'll be of use to someone here. It can also be modified so you can 
include ranges of ip's easier (like a cidr /26 allocation) to verify stuff 
in your own block.
Another way to do that which is more readable it to do a split(/\./) on 
the ip and check each octet to make sure it's in the rage you want it in 
(0-255 for standard ipv4).

--
Josh I.