I've noticed some SPAMmers recently starting to HELO using non-routable
IP addresses (mostly 10.x.x.x or 192.168.x.x)
I'm thinking of filtering for this, and I came up with this code (which
would be placed AFTER the check for an IP-based HELO in square brackets -
so any IP-based HELO missing the brackets has already been rejected).
I'd appreciate any feedback anyone would like to offer on this code
snippet:
# Check for a HELO that is a non-routable address and therefore invalid
if (($helo =~ /(^|\[)10\.d{1,3}\.d{1,3}\.d{1,3}\]$/i) ||
($helo =~ /(^|\[)192\.168\.d{1,3}\.d{1,3}\]$/i))
{
md_syslog('alert',"$MsgID: Fraudulent HELO $helo by Host
$hostip");
return('REJECT', "FRAUDULENT HELO/EHLO: $hostip is not $helo");
}
Obviously, if I have sending hosts on my network that really did have
non-routable addresses, this would be a possible problem (altho the simple
solution is for them to not HELO with their IP, but use their hostname).
And yes, the code does omit the 172.16-31.x.x range - haven't seen them
yet, altho I imagine it's just a matter of time.
Dirk
_______________________________________________
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID. You may ignore it.
Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
