[Mimedefang] $helo filter checks
Richard Earley
richard.earley at cihub.com
Thu Oct 2 08:18:07 EDT 2003
some systems use 123.45.6.7 where others would use 123.045.006.007 yuck!
We use these routines to convert ip to integer to eliminate leading 0's.
# convert INT to IP quad
sub int2quad
{
return join('.',unpack('C4', pack("N", $_[0])));
}
# convert IP quad to INT
sub quad2int
{
return unpack("N", pack("C4", split(/\./, $_[0])));
}
Multiple code snippets like this are then called from the "helo" checking
filter. (where $int is already converted from ip to check)
# X.X.X.X <---> Y.Y.Y.Y
$start = quad2int("X.X.X.X");
$end = quad2int("Y.Y.Y.Y");
if ( $start <= $int and $int <= $end ) {
return (1);
}
-----Original Message-----
From: mimedefang-admin at lists.roaringpenguin.com
[mailto:mimedefang-admin at lists.roaringpenguin.com]On Behalf Of Philip
Clever
Sent: Wednesday, October 01, 2003 10:50 PM
To: mimedefang at lists.roaringpenguin.com
Subject: [Mimedefang] $helo filter checks
Hello,
I have installed the following code to combat HELO spoofing under sub
filter_relay:
elsif ($helo =~ /mydomain\.net$/i) {
if ($hostip ne '127.0.0.1' or
$hostip !~ /^xx\.xx\.xxx\.\d{1,3}$/ or
$hostip !~ /^xx\.xx\.xxx\.\d{1,3}$/ or
$hostip !~ /^xx\.xx\.xxx\.\d{1,3}$/ or
$hostip !~ /^xx\.xx\.xxx\.\d{1,3}$/ or
$hostip !~ /^xx\.xx\.xxx\.\d{1,3}$/ or
$hostip !~ /^xx\.xx\.xxx\.\d{1,3}$/ or
$hostip !~ /^xx\.xxx\.xxx\.\d{1,3}$/ or
$hostip !~ /^xx\.xxx\.xxx\.\d{1,3}$/) {
return (0, "Connect rejected! - $hostip is not
mydomain.net");
}
}
This works great! I was getting at least 10 spams a day because of HELO
spoofing and now I get none. But here is some weird behavior I have seen in
the logs:
First, when I receive an email from the MIME Defang list it gets rejected
saying 127.0.0.1 is not mydomain.net. Secondly, some of our users with
Netscape and some versions of Eudora get rejected even though their ip is
ours, and should match up. We figure that must be some mail client
weirdness. I know others have implemented this filter strategy and was
wondering if they had run into this or know of any workarounds.
Thanks,
Philip
_______________________________________________
MIMEDefang mailing list
MIMEDefang at lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
More information about the MIMEDefang
mailing list