[Mimedefang] sendmail and filter_helo interaction

John Rudd john at rudd.cc
Fri Nov 10 01:11:37 EST 2006 

Dirk the Daring wrote:
> 
> 
>         # Check #4
>         # If the HELO is an FQDN, the index and rindex of "." will not 
> be the same
>         # This catches the spammer using domain.tld (which will slip
>         #       by Check #2)
>         if ( index($helo, ".") == rindex($helo, ".") )
>             {
>             # Reject connection - invalid HELO
>             md_syslog('alert', "Non-FQDN HELO $helo by Host $hostip");
>                         return('REJECT', "INVALID HELO/EHLO: $helo is 
> not FQDN");
>             }

> 
> 
>    As I wrote previously, my entire filter is heavily logged. My 
> analysis of those logs indicates that only about 50% of foreign 
> mailhosts connecting to my network get past HELO. Based on the 
> I-think-reasonable assumption that no "legitimate" mail server would be 
> tripped up by GREETPAUSE, RATECONTROL, CONNCONTROL or the tests I have 
> in filter_helo, my conclusion is that those 50% are spammers, and I'm 
> effectively stopping them by the end of HELO.
> 


Given that I don't think check #4 is valid, I'm not sure I believe your 
claim.  For one, depending on the configuration I'm using, you might end 
up rejecting my email, because my mail server's hostname is the 
registered domain name (rudd.cc) ... and I'm not a spammer.

(I don't recall any prohibition on a host's name being just its 
registered domain, domain.tld)

I'm also curious why you're using a lot of index/rindex calls instead of 
regular expressions (I'm not enough of an expert to know if one is 
honestly faster than the other).  For the above one, why not:

$helo =~ /^[^\.]+\.[^\.]+$/

(from the start of the string, one or more non-dots, followed by 1 dot, 
followed by one or more non-dots, and then the end of the string; you 
can only match this expression if you have exactly 1 dot in the strong)

Or,

(($helo =~ /\./) && ($helo !~ /\..+\./)

(contains at least one dot, AND does not contain: a dot, at least any 
one other character, and then another dot, anywhere in the string; 
again, you can only match these two expressions if you have exactly one 
dot in the string)


$helo =~ /\./

also works for your "index of . isn't -1" check.

More information about the MIMEDefang mailing list