[Mimedefang] filter-relay, rejection on bogus helo

[Mark Sheppard]

On 2004-01-07 (Wednesday) at 12:36:35 -0500, Joseph Brennan wrote:
>
> >Or reject if the machine just gives a hostname with no "..."'s in it.
> ># match if just host component, which you should not get from MTA's.
> >note this regexp will match anything that does not have a "." in it.
> >if ($helo =~ /^(\w*)$/){
> >}
>
> These are no good because we are using the same Mimedefang filter
> for the internal hosts.  Some PC clients do not know their hostname
> or IP, and send HELO with standards-busting things like the user's
> pet name for the host, or the name of the smtp server, or the user's
> default domain name.

So just skip that check for local IPs:

  if($hostip !~ /^128\.59\./){
    # do HELO checks here
  }

Anyone else sending you email from outside should have a proper HELO.
I block any HELO that's an IP which differs from the connecting IP:

  if($helo =~ /^\[?(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\]?$/ and $1 ne $hostip){
    md_syslog('info', "MDLOG,$MsgID,bad-helo-ip,$hostip,$hostname,$helo");
    return('REJECT', "Bad HELO - you claimed to be $helo, but you're $hostip");
  }

and anyone using our hostname:

  if($helo eq $SendmailMacros{j}){
    md_syslog('info', "MDLOG,$MsgID,bad-helo-host,$hostip,$hostname,$helo");
    return('REJECT', "Bad HELO - you claimed to be $helo, but that's us!");
  }

For $SendmailMacros to work in filter_relay use load_sendmail_macros
from http://sial.org/howto/mimedefang/macro-pass/.  Note that you need
to make sure this check doesn't prevent the host itself from sending
emial.  I call return('ACCEPT_AND_NO_MORE_FILTERING', 'ok') in
filter_relay if $hostip is the local machine's IP.  This skips all
further tests from email originating locally.

Another thing I do is to increase the SpamAssassin hit count if a
non-resolving hostname is supplied in HELO.  At the top of mimedefang
I've got this:

  use Net::DNS;

  # setup a resolver for use later
  $dns = Net::DNS::Resolver->new;
  $dns->defnames(0); # do not search default domain

then in filter_end:

  my($hits, $req, $names, $report) = spam_assassin_check();

  if($Helo ne $RelayHostname and !$dns->query($Helo, 'A')){
    $hits += 2;
    $names .= ',UNRESOLVABLE_HELO';
    $report .= "\n 2.0 UNRESOLVABLE_HELO      Name given at HELO doesn't resolve" .
               "\n                            [$Helo]";
  }

This will also increase the score if just an IP is used as there's no
A records for IPs.  Some viruses seem to use dodgy HELOs as well as
spamware.

Mark.