[milters] Archive

Lists Index Date Thread Search

Article: 1221
From: Anthony Howe
Date: 2006-11-01 19:51:20 -0500
Subject: Re: possible SMTP attack: command=HELO/EHLO, count=3

Removal...........: milters-request@milter.info?subject=remove
More information..: http://www.milter.info/#Support
--------------------------------------------------------

Ken A wrote:
> Is there any way to quickly block these using an existing milter?
> 
> possible SMTP attack: command=HELO/EHLO, count=3
> 
> I know greylisting works, since these are from malfunctioning botnets, 
> but I'm hoping to be able to simply reject based on the HELO containing 
> '|', which these do, and which isn't a valid char for a hostname.

A new anti-spam filter I'm testing deals with these very nicely already, 
but its not ready for the public just yet.

milter-cli with an envelope script would be my other choice. Its was 
design to fill in when there is no other solution.

Failing that, it would be easy enough to patch on of the milters like 
-link, -sender, -gris, -spiff, or -siq in the fitlerHelo() function.

For example in milter-link, find the trace log line in filterHelo:

	smfLog(SMF_LOG_TRACE, TAG_FORMAT "filterHelo(%lx, '%s')", TAG_ARGS, 
(long) ctx, TextNull(helohost));

and insert after the following block:

{
	char *h;
	for (h = helohost; *h != '\0'; h++) {
		switch (*h) {
		case '.': case ':':
		case '-': case '_':
		case '[': case ']':
			break;
		default:
			if (!isalnum(*h))
				return smfReply(&data->work, 550, "5.7.1", "invalid HELO
argument");
		}
	}
}

This code could be added in most of the other milters that have a 
filterHelo() function defined.

-- 
Anthony C Howe          Skype: SirWumpus                    SnertSoft
+33 6 11 89 73 78         AIM: SirWumpus    Sendmail Milter Solutions
http://www.snert.com/     ICQ: 7116561
     http://www.snertsoft.com/

Lists Index Date Thread Search