[Mimedefang] Non-routable addresses in HELO

Michael Lang michi+mimedefang at relay3.jackal-net.at
Mon Jul 10 10:57:47 EDT 2006 

On Mon, 2006-07-10 at 09:17 -0500, Jim McCullars wrote:
> 
> On Sun, 9 Jul 2006, Dirk the Daring wrote:
> 
> >      Obviously, if I have sending hosts on my network that really did have
> > non-routable addresses, this would be a possible problem (altho the simple
> 
>    I just reject when someone sends an IP address as a HELO, and it is not
> their actual IP address.  In filter_sender():

i remember an exploit with negative Integers as helo name ... and as RFC
821 states 

 """This command is used to identify the sender-SMTP to the
            receiver-SMTP.  The argument field contains the host name of
            the sender-SMTP."""

it should be the hostname of the remote MTA, so everthing in 
 /^[a-z0-9\-\.]+/i would be valid, so if you want to be restrictive implement
a FULL FQDN check for the helo, extending to prevent Spam/Virus Senders from 
abusing you MTA, you could add SPF checking and DUL strings in reverse FQDN as 
helo Strings are modifyable from within the Virus/Trojan. (I've already seen Zombie PC's 
sending Messages periodicaly after 10 minutes to get passed greylisting.

but maybe it's easier to setup secured communication Channels with your MTA Peers ?
like 'DENY ALL, ALLOW FROM ...' ;)

Greetz mIke
try adding these filter to your config but do logging only ;)

sub filter_recipient	{
...
	if (check_dul($RealRelayHostname))      {
		 md_syslog('warning', check_dul($RealRelayHostname));
	}
...
}
...
sub check_dul($)        {
        my $reverseFQDN = $_[0];
        md_syslog('warning', "Checking for MTAname $reverseFQDN");
        if ($reverseFQDN =~ /\d{1,3}[\.\-]\d{1,3}(|(\d{1,3}[\.\-]\d{1,3})|[\.\-]\d{1,3})/)      {
                return ('TEMP', "$reverseFQDN DUL like syntax");
        } elsif ($reverseFQDN =~ /\d{1,3}[\.\-]\d{1,3}[\.\-]\d{1,3}(|[\.\-]\d{1,3})/)   {
                return ('TEMP', "$reverseFQDN DUL like syntax");
        } elsif ($reverseFQDN =~ /(xsdl|adsl|pool|dial(in|up|-in|-up)|dynamic)/i)       {
                return ('TEMP', "$reverseFQDN DUL like syntax");
        } else  {        return;        }
}

> 
>   if ($helo =~ /^\d+\.\d+\.\d+\.\d+$/) {  # looks like an IP
>     if ($helo ne $ip) {
>       return('REJECT', "IP address $ip doesn't match helo string $helo");
>     }
>   }
> 
>   This is fairly effective, I grepped my syslog file on one of two email
> relays and since last Friday it stopped over 5000 email attempts.  It has
> the added effect of stopping those who use *my* IP address as the HELO
> string.
> 
>   HTH...
> 
> Jim McCullars
> University of Alabama in Huntsville
> 
> _______________________________________________
> NOTE: If there is a disclaimer or other legal boilerplate in the above
> message, it is NULL AND VOID.  You may ignore it.
> 
> Visit http://www.mimedefang.org and http://www.roaringpenguin.com
> MIMEDefang mailing list MIMEDefang at lists.roaringpenguin.com
> http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
-- 
Michael Lang <michi+mimedefang at relay3.jackal-net.at>

More information about the MIMEDefang mailing list