[Mimedefang] RE: What to do w/ SPAM? (ip address regex)
perlrtst at ml1.net
perlrtst at ml1.net
Mon Sep 23 14:47:01 EDT 2002
> Date: Mon, 23 Sep 2002 10:18:03 -0500 (CDT)
> From: Jim McCullars <jim at info.uah.edu>
> To: mimedefang at lists.roaringpenguin.com
> Subject: RE: [Mimedefang] What to do w/ SPAM?
> Reply-To: mimedefang at lists.roaringpenguin.com
>
>
>
> On Sun, 22 Sep 2002, David F. Skoll wrote:
>
> > I also use the HELO trick raised by Jim McCullars in posting
> > http://lists.roaringpenguin.com/pipermail/mimedefang/2002-August/001949.html
> > I find it catches 4-5 spammers per week.
>
> There's another good use for looking at the HELO string - a forged IP
> address. I've found that spammers will occasionally put in a phony IP
> address (rather than just a phony name). One could be ultra-restrictive
> (as I plan to be) and reject outright any mail with a HELO string that
> looks like an IP address, or cut them a little slack and reject it only if
> it doesn't match the real relay address.
>
> I haven't tested this yet, but it should work:
>
> sub filter_relay {
> my($ip, $name, $helo) = @_;
> #
> # This would be a most restrictive check...
> if ($helo =~ /^(\d{1,3})(.)(\d{1,3})(.)(\d{1,3})(.)(\d{1,3})$/) {
> return (0, "Please use your host name when saying HELO")
> }
> #
> # or maybe reject only when it's an obvious forgery...
> if (($helo =~ /^(\d{1,3})(.)(\d{1,3})(.)(\d{1,3})(.)(\d{1,3})$/) &&
> ($ip ne $helo)) {
> return (0, "Header forgery attempt, $ip claims to be $helo")
> }
> return (1);
> }
>
> Change the bounce message to your liking. Some may choose to let the
> spammer guess why his mail was rejected. Also, thanks to the person that
> posted the regular expression to check for an IP address.
>
> Jim
> *-------------------------------------------------------------------------*
> * James H. McCullars I Phone: (256) 824-2610 *
> * Director of Systems & Operations I Fax: (256) 824-6643 *
> * Computer & Network Services I Internet: mccullj at email.uah.edu *
> * The University of Alabama I -----------------------------------*
> * in Huntsville I *
> * Huntsville, AL 35899 I This space for rent - CHEAP! *
> *-------------------------------------------------------------------------*
>
I've often used the regex above for matching ip's, but it's actually
incorrect. It will also match 999.999.999.999 which is NOT a valid ip, and
many others.
The following regexp is slower and will make your code a bit harder to
read, but it will only mactch valid ipv4 addresses:
/^(0?0?\d|[01]?\d\d|2[0-4]\d|25[0-5])\.(0?0?\d|[01]?\d\d|2[0-4]\d|25[0-5])\.(0?0?\d|[01]?\d\d|2[0-4]\d|25[0-5])\.(0?0?\d|[01]?\d\d|2[0-4]\d|25[0-5])$/
maybe it'll be of use to someone here. It can also be modified so you can
include ranges of ip's easier (like a cidr /26 allocation) to verify stuff
in your own block.
Another way to do that which is more readable it to do a split(/\./) on
the ip and check each octet to make sure it's in the rage you want it in
(0-255 for standard ipv4).
--
Josh I.
More information about the MIMEDefang
mailing list