[Mimedefang] Re: filter_relay not working

Jeremy Mates jmates at sial.org
Fri May 9 11:30:01 EDT 2003 

* Joseph Brennan <brennan at columbia.edu>
> Not safe at all.  You'll drop a lot of "legit" mail including mail
> submitted to your server from certain PC mail clients.

The only client I've seen use an IP address is Eudora; it uses the
"strongly discouraged" (RFC 822, section 6.2.3) domain literal format
for the helo argument.  We have hostnames for all client systems at
work, which may be a factor.  I have seen spammers in small numbers
(4-10/day) forge the helo argument to either be an IP address unrelated
to their actual one, or that of one of the MX they are sending to, or to
use the domain name of the MX server being sent to: I block these.

I've seen unqualified domains from both spammers and from certain
legitimate sources (email receipts from an online store system), so
blocking unqualified helo arguments will result in false positives,
though the exact number will depend on how many legitimate misconfigured
systems you do mail with.  Either take the RFC-ignorant approach and
block the mail, or factor the unqualified domain into other checks.

As always, logging without blocking works well to build up statistics.
The following is for a filter_* routine that has the helo argument in
$helo, and where the %SendmailMacros are being passed in early via a
custom patch.  Some of the checks are very loose, like the IP address
one, and some rare spammers use ".." or similar utterly bogus data as
the helo argument.

  # helo is IP address.  possible false positives, though they
  # should be using [192.0.2.1] literal domain format
  if ( $helo =~ /^[\d.]+$/ ) {
    if ( $helo ne $ip ) {
      if (defined $SendmailMacros{if_addr} and $helo eq $SendmailMacros{if_addr}
) {
        md_syslog('info', "MDLOG,$MsgID,heloipforge,$helo,$ip");
        return 'REJECT', 'reject: invalid HELO argument ' . $helo;
      } else {
        md_syslog('info', "MDLOG,$MsgID,heloipwrong,$helo,$ip");
        return 'REJECT', 'reject: invalid HELO argument ' . $helo;
      }
    } else {
      md_syslog('info', "MDLOG,$MsgID,heloip,$helo,$ip");
    }
  } elsif ( $helo !~ /(?i)[a-z0-9]\.[a-z0-9]/ ) {
    # helo unqualified domain
    md_syslog('info', "MDLOG,$MsgID,unqualhelo,$helo,$ip");
  } elsif ( defined $SendmailMacros{if_name} and $helo eq $SendmailMacros{if_nam
e}) {
    # helo was this system, but not this system
    md_syslog('info', "MDLOG,$MsgID,ourhelo,$helo,$ip");
    return 'REJECT', 'reject: invalid HELO argument ' . $helo;
  }

More information about the MIMEDefang mailing list