[Mimedefang] Non-routable addresses in HELO
Dirk the Daring
dirk at luna.psicorps.org
Sun Jul 9 22:40:52 EDT 2006
I've noticed some SPAMmers recently starting to HELO using non-routable
IP addresses (mostly 10.x.x.x or 192.168.x.x)
I'm thinking of filtering for this, and I came up with this code (which
would be placed AFTER the check for an IP-based HELO in square brackets -
so any IP-based HELO missing the brackets has already been rejected).
I'd appreciate any feedback anyone would like to offer on this code
snippet:
# Check for a HELO that is a non-routable address and therefore invalid
if (($helo =~ /(^|\[)10\.d{1,3}\.d{1,3}\.d{1,3}\]$/i) ||
($helo =~ /(^|\[)192\.168\.d{1,3}\.d{1,3}\]$/i))
{
md_syslog('alert',"$MsgID: Fraudulent HELO $helo by Host $hostip");
return('REJECT', "FRAUDULENT HELO/EHLO: $hostip is not $helo");
}
Obviously, if I have sending hosts on my network that really did have
non-routable addresses, this would be a possible problem (altho the simple
solution is for them to not HELO with their IP, but use their hostname).
And yes, the code does omit the 172.16-31.x.x range - haven't seen them
yet, altho I imagine it's just a matter of time.
Dirk
More information about the MIMEDefang
mailing list