[SA-exim] Klezmail with forged envelope

Tor Slettnes tor at slett.net
Thu Apr 8 10:38:25 PDT 2004

Previous message: [SA-exim] Exim4 ACL snippets (Re: Klezmail with forged envelope)
Next message: [SA-exim] Fwd: Re: [exiscanusers] spamassassin rbl tests
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Apr 6, 2004, at 14:30, Tim Jackson wrote:

> Even without that, these days fairly little viral stuff reaches my 
> ClamAV daemon by the time it's been through various tests; the obvious 
> ones being:
>
> - reject your own domain name(s) given in remote HELOs (this catches a 
> lot
>   of recent viral junk)
>
> - use Exiscan to block "bad" extensions
>
> Those alone clean up a lot of rubbish.

One more, which seems to catch even more junk on my side (though 
perhaps more spam than virii):

  - Reject plain IP addresses given in HELO/EHLO greetings.
    Per RFC, you must allow IP literals, i.e. IP addresses enclosed in 
square brackets:
      HELO [192.168.0.1]       <----- Valid

    However, IP addresses without the square brackets are not mandated, 
and are _only_ used by spamware and virii.  (Typically, they will HELO 
with _your_ IP address).


Exim ACL snippet:

    deny message   = You greeted me with an IP address.  I want your 
name.
         condition = ${if isip {$sender_helo_name}{true}{false}}
         delay     = 20s

Previous message: [SA-exim] Exim4 ACL snippets (Re: Klezmail with forged envelope)
Next message: [SA-exim] Fwd: Re: [exiscanusers] spamassassin rbl tests
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the SA-Exim mailing list