[Mimedefang] Bogus HELO filtering

Jeff Rife mimedefang at nabs.net
Wed Jul 7 00:42:00 EDT 2004 

I've seen a bit about this subject lately on the list, so I thought I 
throw in my solution and see what people think.

In filter_sender:

###############################################################
if ($ip =~ /^(127\.0\.0\.1|$TrustedNetworks)/)
  {
  return ('ACCEPT_AND_NO_MORE_FILTERING', "OK");
  }

my $MyDomains = '\.(domain1\.tld|domain2\.tld|domain3\.tld)$';

# Bogus IPs...I'm using my real ones in the actual filter
my $MyPublicIPs = '^434\.300\.377\.38[789])$';

if (($helo =~ /($MyDomains|$MyPublicIPs)/) and ($ip !~ /$MyPublicIPs/))
  {
  md_syslog('info', "md_info: bad HELO ($helo): $hostname [$ip]");

  # don't really reject for now...just log it
# return ('REJECT', "Bad HELO: $hostname [$ip] is not $helo");
  }
###############################################################

My logic was:
- If it is from a trusted network (for me, behind my firewall), don't do
  anything...I don't care about outgoing SPAM as it's a firing offense.

- If the HELO says it is from something I control (ends in a domain I
  control or is in an IP block I control, but the actual connecting IP
  isn't one I control, then reject.  All the machines from all the
  domains are guaranteed to be in those IP blocks.

- I don't care if things match perfectly, so a machine that is in an IP
  block that I control might announce itself as the "wrong" name (like
  mail.domain2.tld instead of the correct mail.domain3.tld), but it
  still obviously has a right to do this.  This allows slight errors in
  DNS to be ignored; although they are a problem in the long run, they
  aren't a SPAM source.

Questions:

 1. Does this get the job done?
 2. Is there a more efficient way that doesn't involve listing out all
    legal machines?  I have 3 public class C IP blocks, so that would be
    some real work.
2a. The real domain list is 20 or so, and growing.  Is there a better
    way to deal with that list?
 3. Am I breaking any rules by doing this?

Thanks.


--
Jeff Rife        |  
SPAM bait:       | http://www.nabs.net/Cartoons/FoxTrot/Blackboard.gif 
AskDOJ at usdoj.gov |  
uce at ftc.gov      |

More information about the MIMEDefang mailing list