[Mimedefang] filter-relay, rejection on bogus helo

[Lucas Albers]

Joseph Brennan said:
> We reject about 10,000 a day that say HELO with columbia.edu's IP
> address, and have done so for about a year now, thus about three
> and a half million messages.  None of those rejections has ever
> been the subject of a complaint from our users or from senders.
>
> In filter_begin()
>
>     # Don't tell us you are us
>     if ($Helo =~ /(128\.59\.59\.105|128\.59\.59\.23)/) {
>         md_graphdefang_log('spam',"1000 Claims_to_be_$Helo",$RelayAddr);
>         action_bounce("You are not $Helo");
>         return action_discard();
>     }
You could reject before the data stage by checking your helo string in
filter-relay, which should speed up your rejections, and lower bandwidth
usage.
You could do the check before filter-begin, in filter-relay.


You can also include your hostname in the rejection helo check:
#after excluding your mail server by it's ip address
if ($Helo =~ /(cs\.montana\.edu|esus\.\cs\.\montana\.edu)/

Or reject if the machine just gives a hostname with no "..."'s in it.
#match if just host component, which you should not get from MTA's.
note this regexp will match anything that does not have a "." in it.
if ($helo =~ /^(\w*)$/){
}

Anyone see any problem with my previously mentioned helo host check regex?



-- 
Luke Computer Science System Administrator
Security Administrator,College of Engineering
Montana State University-Bozeman,Montana