[Mimedefang] Bogus HELO filtering

Jeff Rife mimedefang at nabs.net
Wed Jul 7 12:47:49 EDT 2004 

On 7 Jul 2004 at 9:48, Damrose, Mark wrote:

> I'd change to
> my $MyDomains = '(^|\.)(domain1\.tld|domain2\.tld|domain3\.tld)$';
> so it will catch domain1.tld as well as anything.domain1.tld.

I just thought of this myself this morning and added it.  It caught a 
*lot* more bogus HELOs.

> Since you anchor your public IPs, you miss the case where someone 
> follows the RFC and encloses the IP in square brackets.
> my $MyPublicIPs = '^\[?434\.300\.377\.38[789])\]?$';

That's what I was missing!  Thanks.

> If you have a full /24, then 
> my $MyPublicIPs = '^\[?434\.300\.377\.\d{1,3})\]?$';
> Should work for the full 24.  You don't need to list each one individually.

Yeah, I'm actually doing this with two different companies, and they have 
almost the same setup, but one just has a 16-IP public block, which is 
what I sort of listed here in the e-mail.  The 3 class-Cs were already as 
you said.

> Is there any case where someone could legally use your public IP that isn't
> listed in trusted networks?
> If not, then change to:
> if ($helo =~ /($MyDomains|$MyPublicIPs)/)
> No sense testing if the Relay is your public IP, if that IP can't be 
> legally used, and/or has already been accepted.

The public IPs aren't trusted because, well, they are public and outside 
our firewall.  It's theoretically possible that somebody gets in.  Since 
we restrict outgoing port 25 connects at our router, they would have to 
bounce SPAM off our mail server.

> >  3. Am I breaking any rules by doing this?
> 
> Technically yes.  The RFCs say you MUST NOT reject mail solely on the basis
> of the HELO.  However it is generally accepted that you can reject on 
> HELOs that absolutely can not be.  The trick is to correctly pick
> tests for values that can not be.

That's what I thought, and I wanted to know if I was being too broad.

>         $s =~ s/^\<//;
>         $s =~ s/\@.*$//;
>         if ( $s =~ m/$H/i ) {
>                 $status=1;

Since hacking mimedefang-filter is my first Perl experience, this is a 
bit over my head.  I've got a decent background in sed and grep REs, but 
I'll have peruse the Perl manual a bit to follow this.


--
Jeff Rife        | "I feel an intense ambivalence, some of which 
SPAM bait:       |  doesn't border entirely on the negative." 
AskDOJ at usdoj.gov |  
uce at ftc.gov      |         -- Ned Dorsey, "Ned and Stacey"

More information about the MIMEDefang mailing list