[Mimedefang] Stopping bogus Domain in HELO

Dirk the Daring dirk at psicorps.org
Mon Jun 20 12:50:59 EDT 2005


   I've added MIMEDefang v2.52 to my sendmail v8.13.4 mail relay running
on Solaris 8, and have significantly reduced my SPAM (I *love* rejecting
SPAMmers who try to HELO as one of my own machines). Of the remaining
SPAM that leaks thru, I'm seeing things like:

> Received: from lh ([60.221.66.22]) by [my host] with SMTP id....

   "lh" is an obviously fake hostname. How would I go about requiring a
HELO, if an IP address in brackets is not given, to have a resolvable
FQDN?

   Here is what I have in "filter_sender" already:

---- Cut Here ----
sub filter_sender {
 my($sender, $hostip, $hostname, $helo) = @_;

 # Check #1
    # Can't be "psicorps.org" unless it's one of our IP addresses
    if ($helo =~ /(^|\.)psicorps\.org$/i) {
        if ($hostip ne "127.0.0.1" and $hostip ne "209.170.141.XXX" and
            $hostip ne "209.170.141.XXX" and $hostip ne "209.170.141.103" and
            $hostip ne "209.170.141.XXX" and $hostip ne "209.170.141.XXX") {
            syslog('alert', "MIMEDefang rejected a connection where Host $hostip said HELO $helo");
            return('REJECT', "FRAUDULENT HELO/EHLO REJECTED: $hostip is not authorized to use $helo for authentication");
        }
    }

    # Check #2
    # Check for HELO where IP address is the relay server address either
    #     without or with square brackets
    if (($helo =~ /209\.170\.141\.103$/) ||
        ($helo =~ /(^|\[)209\.170\.141\.103\]$/i)) {
       syslog('alert',"MIMEDefang rejected a connection where Host $hostip said HELO $helo");
       return('REJECT', "FRAUDULENT HELO/EHLO REJECTED: $hostip is not authorized to use $helo for authentication");
    }

    # Check #3
    # Check for IP-address-only HELO - SMTP standard requires it be enclosed
    if ($helo =~ /^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/) {
       syslog('alert',"MIMEDefang rejected a connection where Host $hostip said HELO $helo");
       return ('REJECT', "SMTP ERROR: Please conform to SMTP when saying HELO");
    }

    return('CONTINUE', "OK");
}
---- Cut Here ----

   Or would this be better done in filter_relay?

Dirk



More information about the MIMEDefang mailing list