[Mimedefang] New spammer trick?

David F. Skoll dfs at roaringpenguin.com
Tue Nov 25 15:44:49 EST 2003


On Tue, 25 Nov 2003, Jon R. Kibler wrote:

> Can you share your code for filter relay based on HELO?

Sure; piece of cake:

sub filter_relay {
    my($hostip, $hostname, $helo) = @_;
    if ($helo =~ /roaringpenguin\.com$/i) {
	return('REJECT', "Go away... $hostip is not a roaringpenguin.com machine");
    }
}

NOTE:  This machine is only used for INBOUND mail coming from EXTERNAL
sources.  There is *never* a valid reason for a roaringpenguin.com to try
to relay through it.

> How much legit mail will that end up rejecting?

None, I would imagine.  I can't imagine any possible reason for someone
else's machine to identify itself as "roaringpenguin.com"

> I see a lot of systems where they may say HELO xyz.com and it really
> be from xyz.com, but the hostname would be some ISP reverse DNS
> hostname, such as z.y.x.w.qrst.com and the IP be w.x.y.z -- how would
> your filter handle this?

I only check for the specific case of a machine I know I don't own claiming
to be a roaringpenguin.com machine.

Regards,

David.



More information about the MIMEDefang mailing list