[Mimedefang] $helo versus $ip
Matt Cramer
mscramer at armstrong.com
Tue Feb 3 09:05:06 EST 2004
On Tue, 3 Feb 2004, Jack Olszewski wrote:
> In the archives of this list I can't find anything on possible checks
> of $helo versus $ip in filter_relay. What about finding the address of
> the host given as $helo, and matching it against $ip? Would it be safe
> to reject the message if they do not match? For instance (not tested
> in mimedefang-filter yet):
[...]
This will yield many false positives. Here is what I do:
* Reject mail from outside relays who HELO as one of my domains.
* Reject mail from outside relays who HELO as one of my networks, with or
without brackets (e.g. "204.74.20.1" and "[204.74.20.1]")
* Reject mail from outside relays who HELO as a string that isn't a domain
or an address. I just check for a "." in the string. An amazing
amount of ratware issues "HELO hjdjhdf" etc. I've had a few false
positives where the server was just doing "HELO servername" and in all
cases the admin of the sending server has corrected it.
Matt
--
Matthew S. Cramer <mscramer at armstrong.com> Office: 717-396-5032
Infrastructure Security Analyst Fax: 717-396-5590
Armstrong World Industries, Inc. Cell: 717-917-7099
More information about the MIMEDefang
mailing list