[Mimedefang] filter-relay, rejection on bogus helo

[Joseph Brennan]

>> You could make the assumption that the helo (if an ip) string should
>> match the ip address on the first 3 octets of the address?
>> $helo = xxx.xxx.xxx = $ip = xxx.xxx.xxx
>
> Not necessarily.  It's quite reasonable that a system with multiple IP
> addresses would have addresses in different subnetworks.


I want to second the suggestion already made of rejecting mail that
says HELO with the IP of your own host.  That should never happen.
There is at least one popular spam package that does this, so you
get considerable efficiency out of rejecting it in Mimedefang and
never sending it to Spamassassin.

We reject about 10,000 a day that say HELO with columbia.edu's IP
address, and have done so for about a year now, thus about three
and a half million messages.  None of those rejections has ever
been the subject of a complaint from our users or from senders.

In filter_begin()

    # Don't tell us you are us
    if ($Helo =~ /(128\.59\.59\.105|128\.59\.59\.23)/) {
        md_graphdefang_log('spam',"1000 Claims_to_be_$Helo",$RelayAddr);
        action_bounce("You are not $Helo");
        return action_discard();
    }


Joseph Brennan         Columbia University in the City of New York
Academic Technologies Group                   brennan at columbia.edu