[Mimedefang] Bogus HELO filtering
Lucas Albers
admin at cs.montana.edu
Wed Jul 7 12:30:28 EDT 2004
Joseph Brennan said:
>
> For what it's worth, in yesterday's mail, 22% of what we rejected
> said 'HELO columbia.edu' and 11% more said 'HELO 128.59.59.105' --
> those are *our* hostname and IP -- no further analysis needed:
> 59,000 messages tossed.
>
> So I'd say checking HELO is worthwhile. At least, reject mail that
> claims to be from your own hostname and IP.
>
> Joseph Brennan
> Academic Technologies Group, Academic Information Systems (AcIS)
> Columbia University in the City of New York
I've been doing some additional helo checking.
Attached are the helo rule checking I do.
Just enable it for logging if you are curious to see what type of helo
checking you can do.
If a machine has an ip address and gives a helo name that does not match
it's ip address or hostname I reject.
If it has a hostname and it's helo does not match the domain of the
hostname, I reject.
Of if it just gives a helo with a hostname, just a single hostname with no
domain, then I reject.
Only clients should do this, MTA's should never do this.
If it gives my hostname for helo, I reject.
Will cause False Positives. You are warned.
--Luke
#***********************************************************************
#verifies that two domain names have same domain.
#could be more efficient, easy to understand more important
#then shortness or efficiency.
#careful with the regexs domain names don't follow rfc...
#MTA don't always completelly match full ip name or similar...
sub helo_domain_forgery($$$){
my ($ip,$name,$helo) = @_;
my $ipdomain="";
my $namedomain="";;
my $helodomain="";
my $name_ip_forged=0;
my $helo_just_host=0;
#for ip address we are extracting 3 octets
if ($ip =~ /^(\d{1,3}\.\d{1,3}\.\d{1,3})\.\d{1,3}$/){
$ipdomain = $1;
}
if ($name =~ /^\[(\d{1,3}\.\d{1,3}\.\d{1,3})\.\d{1,3}\]$/){
$namedomain = $1;
$name_ip_forged=1;
}
elsif ($name =~ /^(\d{1,3}\.\d{1,3}\.\d{1,3})\.\d{1,3}$/){
$namedomain = $1;
$name_ip_forged=1;
}
elsif ($name =~ /\.(\w*\.\w*)$/){
$namedomain = $1;
}
elsif ($name =~ /^(\w*\.\w*)$/){
$namedomain = $1;
}
#i break this up so you can choose to handle each case differently.
if ($helo =~ /^(\d{1,3}\.\d{1,3}\.\d{1,3})\.\d{1,3}$/){
$helodomain = $1;
}
#has [ indicating possible forgery...acceptable via rfc, actually.
if ($helo =~ /^\[?(\d{1,3}\.\d{1,3}\.\d{1,3})\.\d{1,3}\]?$/){
$helodomain = $1;
}
#match if just host component.
elsif ($helo =~ /^(\w*)$/){
$helodomain = $1;
$helo_just_host=1;
#md_syslog('warning',"Hostname on helo command:$helo");
return 3;
}
#match if just gives domain name and no host component.
elsif ($helo =~ /\.(\w*\.\w*)$/){
$helodomain = $1;
#name if helo is just blah.com
}
elsif ($helo =~ /^(\w*\.\w*)$/){
$helodomain = $1;
}
elsif ($helo =~ /^([\w\-]*\.[\w\-]*)$/){
$helodomain = $1;
}
#be aware if it doesn't match I think the $N will
#carry on $1 last regexp match will carry over.
#my $authenticated = authenticated_user;
#md_syslog('warning',"DOMAIN:auth:$authenticated");
#match ip or name to helo
#if either match you accept.
#if ip or name is an ip address then match first 3 octets to helo
#if not an ip address then match to domain name like blah.com
#case insensitive match
my $forgery=0;
if (!(($ipdomain eq $helodomain) || ($namedomain =~ /^$helodomain$/i))){
my $FORGERY_DELAY = 30*60;
#my $authenticated = authenticated_user;
#$time_delay = current_time + $FORGERY_DELAY;
#md_syslog('warning',"DOMAIN:a:$authenticated");
md_syslog('warning',"DOMAIN:i:$ip:$ipdomain");
md_syslog('warning',"DOMAIN:n:$name,$namedomain");
md_syslog('warning',"DOMAIN:h:$helo,$helodomain");
#md_syslog('warning',"DOMAIN:DISCARD FORGERY!");
#write_database("<$ip>",$time_delay)
# $forgery =1;
if ($helo =~ /xxx.suny.edu$|xxx.ac.kr$/){
md_syslog('warning',"DOMAIN:IP_FORGERY HARDCODE ACCEPT");
return 0;
}
if ($name_ip_forged){
md_syslog('warning',"DOMAIN:IP_FORGERY AND NODOMAIN MATCH");
$forgery =1
}
if ($helo_just_host){
md_syslog('warning',"DOMAIN:HELO_FORGERY JUST HOSTNAME AND
NODOMAIN MATCH");
$forgery =2;
}
}
return $forgery;
}
--
Luke Computer Science System Administrator
Security Administrator,College of Engineering
Montana State University-Bozeman,Montana
More information about the MIMEDefang
mailing list