[Mimedefang] Testing HELO
Lucas Albers
admin at cs.montana.edu
Tue Oct 14 14:10:25 EDT 2003
If you do a hostname match on the first 3 octets you get pretty good results.
A few machines will say their are a different ip address on the same
subnet, I assume they are just firewalled and should accept their traffic.
But I reject it anyways.
in /usr/bin/mimedefang.pl we have this beautiful function:
sub filter_relay {
my($ip, $name, $helo) = @_;
return(1, "OK") if ($ip eq "127.0.0.1"); # no further checking if
localhost
# or maybe reject only when it's an obvious forgery...
if (($helo =~ /^(\d{1,3})(.)(\d{1,3})(.)(\d{1,3})(.)(\d{1,3})$/) &&
($ip ne $helo)) {
return (0, "Header forgery attempt, $ip claims to be $helo")
}
return(1, "OK");
}
If I wanted to just match on the first three octets I would use this line?:
if (($helo =~ /^(\d{1,3})(.)(\d{1,3})(.)(\d{1,3})(.)/) &&
>>Most of what this gets is spam, as I expected. But amazingly,
>>some legit hosts HELO with an IP that is not their own. Or
>>not so amazingly maybe.
>
> I would assume that what you see is a result of internally homed mail
> exchangers being translated to a public address space by a firewall or NAT
> device. They announce themselves by their internal address, but they
> would access the Internet using their translated address.
>
> BTW--I also filter for bogus HELO's, but I only reject when someone claims
> to be my IP address or FQDN. Since I'm homed using a public address, I
> know they can't be using that address or name themselves :-)
>
>
> --Geoff Thornton
> NetWorks Group
>
> _______________________________________________
> MIMEDefang mailing list
> MIMEDefang at lists.roaringpenguin.com
> http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
>
More information about the MIMEDefang
mailing list