[Mimedefang] Bogus HELO filtering
Jeff Rife
mimedefang at nabs.net
Wed Jul 7 00:42:00 EDT 2004
I've seen a bit about this subject lately on the list, so I thought I
throw in my solution and see what people think.
In filter_sender:
###############################################################
if ($ip =~ /^(127\.0\.0\.1|$TrustedNetworks)/)
{
return ('ACCEPT_AND_NO_MORE_FILTERING', "OK");
}
my $MyDomains = '\.(domain1\.tld|domain2\.tld|domain3\.tld)$';
# Bogus IPs...I'm using my real ones in the actual filter
my $MyPublicIPs = '^434\.300\.377\.38[789])$';
if (($helo =~ /($MyDomains|$MyPublicIPs)/) and ($ip !~ /$MyPublicIPs/))
{
md_syslog('info', "md_info: bad HELO ($helo): $hostname [$ip]");
# don't really reject for now...just log it
# return ('REJECT', "Bad HELO: $hostname [$ip] is not $helo");
}
###############################################################
My logic was:
- If it is from a trusted network (for me, behind my firewall), don't do
anything...I don't care about outgoing SPAM as it's a firing offense.
- If the HELO says it is from something I control (ends in a domain I
control or is in an IP block I control, but the actual connecting IP
isn't one I control, then reject. All the machines from all the
domains are guaranteed to be in those IP blocks.
- I don't care if things match perfectly, so a machine that is in an IP
block that I control might announce itself as the "wrong" name (like
mail.domain2.tld instead of the correct mail.domain3.tld), but it
still obviously has a right to do this. This allows slight errors in
DNS to be ignored; although they are a problem in the long run, they
aren't a SPAM source.
Questions:
1. Does this get the job done?
2. Is there a more efficient way that doesn't involve listing out all
legal machines? I have 3 public class C IP blocks, so that would be
some real work.
2a. The real domain list is 20 or so, and growing. Is there a better
way to deal with that list?
3. Am I breaking any rules by doing this?
Thanks.
--
Jeff Rife |
SPAM bait: | http://www.nabs.net/Cartoons/FoxTrot/Blackboard.gif
AskDOJ at usdoj.gov |
uce at ftc.gov |
More information about the MIMEDefang
mailing list