[Mimedefang] filter-relay, rejection on bogus helo
Lucas Albers
admin at cs.montana.edu
Tue Jan 6 02:08:44 EST 2004
I am currently working on filter-relay and filter-recipient filtering code.
The code is actually only using info in filter-relay but it relies on
variables that are not set until filter-recipient.
My general rule for rejection is thus, after exluding local domains and
authtenticated users.
If $helo has just a single name it has no .'s in it, then reject as
hostname_forgery.
If the ip is unresolvable that is $name has [] in the name then do some
further checks, else done.
Match the helo string domain with either the domain name or the first 3
octets of $ip or $name.
Example:
$ip=133.45.98.9
$name=[133.45.98.9]
$helo=aol.com
This is an unresolvable $name, so we match on the domain.
133.45.98 != aol.com nor does 133.45.98 != aol.com.
So we reject it as a domain_forgery.
I currently only do it for $names that do not resolve back.
Example2:
$ip=1.2.3.4
$name=mail.gosling.com
$name=gosling.com
1.2.3 != gosling.com but gosling.com == gosling.com
so we accept it.
As menioned earlier it matches on first 3 octets ip and helo or name, or
domain of $name and $helo.
All I am doing basically is doing additional checks on machines that have
non-authoritative ip addresses and then matching the subnet or domain of
the machine to the helo command.
I have been logging it for a week or so and have not seen any false
positives because of it.
Various clients will give bogus helo commands, so we need to authenticate
our clients or exclude our local subnet.
I have been going very slowly with this, but it appears to be a very good
method to use.
I logged it for a week and then implemented it today.
I am not posting my code until I am sure it will not have FP's.
Science System Administrator
Security Administrator,College of Engineering
Montana State University-Bozeman,Montana
More information about the MIMEDefang
mailing list