[Mimedefang] Non-routable addresses in HELO

Dirk the Daring dirk at luna.psicorps.org
Sun Jul 9 22:40:52 EDT 2006


     I've noticed some SPAMmers recently starting to HELO using non-routable 
IP addresses (mostly 10.x.x.x or 192.168.x.x)

     I'm thinking of filtering for this, and I came up with this code (which 
would be placed AFTER the check for an IP-based HELO in square brackets - 
so any IP-based HELO missing the brackets has already been rejected).

     I'd appreciate any feedback anyone would like to offer on this code 
snippet:

          # Check for a HELO that is a non-routable address and therefore invalid
          if (($helo =~ /(^|\[)10\.d{1,3}\.d{1,3}\.d{1,3}\]$/i) ||
                  ($helo =~ /(^|\[)192\.168\.d{1,3}\.d{1,3}\]$/i))
                 {
                 md_syslog('alert',"$MsgID: Fraudulent HELO $helo by Host $hostip");
                 return('REJECT', "FRAUDULENT HELO/EHLO: $hostip is not $helo");
                 }

     Obviously, if I have sending hosts on my network that really did have 
non-routable addresses, this would be a possible problem (altho the simple 
solution is for them to not HELO with their IP, but use their hostname). 
And yes, the code does omit the 172.16-31.x.x range - haven't seen them 
yet, altho I imagine it's just a matter of time.

Dirk



More information about the MIMEDefang mailing list