[Mimedefang] Rejecting forged senders - comments?

John Rudd john at rudd.cc
Wed Sep 20 04:44:22 EDT 2006


Johan Sleeuwenhoek wrote:
>
> I'm configuring a similar setup and was wondering whether it is
> possible to put it in filter_helo?
>
> 2006/9/19, Cormack, Ken <ken.cormack at roadway.com>:
>> I'd like to see if anyone has any comments on an idea to block spam from
>> forged senders who claim my domain in the sender address.  I'm assuming
>> something like this could (or should?) be done for both the SMTP "MAIL
>> FROM:" and the "From:" in the header.
>>


If you put it in filter_sender, you can still check against the 
HELO/EHLO string, but you can also exempt anyone who has done 
SMTP-AUTH.  So, it's really better to put it in filter_sender.

But:

1) to reject based on the content of the HELO string is an RFC violation

2) In my experience, 90% of the things you would reject are going to be 
caught by doing other checks, such as:

   a) IP address doesn't have a PTR record
   b) the hostname in the PTR record doesn't resolve back to the IP address
   c) the hostname in the PTR record goes to a CNAME and not an A record
   d) the hostname in the PTR record looks "dynamic" (has words like 
dsl, cable, dial-up, dialup, dhcp, or dynamic in the hostname, or has 2 
or more octets of the IP address in its hostname)


IMO: you're better off checking for those 4 things than looking at the 
HELO/EHLO string.




More information about the MIMEDefang mailing list