[Mimedefang] $helo filter checks

Richard Earley richard.earley at cihub.com
Thu Oct 2 08:18:07 EDT 2003 

some systems use 123.45.6.7 where others would use 123.045.006.007 yuck!

We use these routines to convert ip to integer to eliminate leading 0's.

	# convert INT to IP quad
	sub int2quad
	{
	        return join('.',unpack('C4', pack("N", $_[0])));
	}

	# convert IP quad to INT
	sub quad2int
	{
	        return unpack("N", pack("C4", split(/\./, $_[0])));
	}

Multiple code snippets like this are then called from the "helo" checking
filter. (where $int is already converted from ip to check)

    # X.X.X.X <---> Y.Y.Y.Y
    $start = quad2int("X.X.X.X");
    $end = quad2int("Y.Y.Y.Y");
    if ( $start <= $int and $int <= $end ) {
        return (1);
    }



-----Original Message-----
From: mimedefang-admin at lists.roaringpenguin.com
[mailto:mimedefang-admin at lists.roaringpenguin.com]On Behalf Of Philip
Clever
Sent: Wednesday, October 01, 2003 10:50 PM
To: mimedefang at lists.roaringpenguin.com
Subject: [Mimedefang] $helo filter checks


Hello,

I have installed the following code to combat HELO spoofing under sub
filter_relay:

 elsif ($helo =~ /mydomain\.net$/i) {
        if ($hostip ne '127.0.0.1' or
        $hostip !~ /^xx\.xx\.xxx\.\d{1,3}$/ or
        $hostip !~ /^xx\.xx\.xxx\.\d{1,3}$/ or
        $hostip !~ /^xx\.xx\.xxx\.\d{1,3}$/ or
        $hostip !~ /^xx\.xx\.xxx\.\d{1,3}$/ or
        $hostip !~ /^xx\.xx\.xxx\.\d{1,3}$/ or
        $hostip !~ /^xx\.xx\.xxx\.\d{1,3}$/ or
        $hostip !~ /^xx\.xxx\.xxx\.\d{1,3}$/ or
        $hostip !~ /^xx\.xxx\.xxx\.\d{1,3}$/) {
                return (0, "Connect rejected! - $hostip is not
mydomain.net");
        }
    }

This works great!  I was getting at least 10 spams a day because of HELO
spoofing and now I get none.  But here is some weird behavior I have seen in
the logs:

First, when I receive an email from the MIME Defang list it gets rejected
saying 127.0.0.1 is not mydomain.net.  Secondly, some of our users with
Netscape and some versions of Eudora get rejected even though their ip is
ours, and should match up.  We figure that must be some mail client
weirdness.  I know others have implemented this filter strategy and was
wondering if they had run into this or know of any workarounds.

Thanks,

Philip

_______________________________________________
MIMEDefang mailing list
MIMEDefang at lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

More information about the MIMEDefang mailing list