Tracks the unique HELO/EHLO names used per IP in a hints database, which can
then be used in ACLs to deny access to common spam zombie behaviour:

2006-07-19 22:48:48 SMTP connection from [200.6.227.119]:25548 (TCP/IP connection count = 1)
2006-07-19 22:48:54 no IP address found for host 119.227.6.200.intelnet.net.gt (during SMTP connection from [200.6.227.119]:25548)
2006-07-19 22:48:55 H=(RAPINET-MN8LN3G) [200.6.227.119]:25548 rejected EHLO or HELO rapinet-mn8ln3g: invalid_hosthelo
2006-07-19 22:48:55 SMTP connection from (RAPINET-MN8LN3G) [200.6.227.119]:25548 closed by DROP in ACL
2006-07-19 22:49:06 SMTP connection from [200.6.227.119]:25756 (TCP/IP connection count = 1)
2006-07-19 22:49:11 no IP address found for host 119.227.6.200.intelnet.net.gt (during SMTP connection from [200.6.227.119]:25756)
2006-07-19 22:49:12 H=(RAPINET-MN8LN3G.m6iiw.com) [200.6.227.119]:25756 temporarily rejected EHLO or HELO rapinet-mn8ln3g.m6iiw.com: changing_helo/2
2006-07-19 22:49:13 H=(RAPINET-MN8LN3G.m6iiw.com) [200.6.227.119]:25756 temporarily rejected EHLO or HELO rapinet-mn8ln3g.m6iiw.com: changing_helo/2
2006-07-19 22:49:14 SMTP connection from [200.6.227.119]:25756 lost

Conveniently these hosts don't continue to send the email (which is possible
despite the 4xx reply to the HELO), so there is no danger of rejecting mail
from real hosts because of a DROP verb.

Configuration:
	helo_cache = true
#	helo_cache_max = 4
#	helo_cache_time = 1d

HELO ACL:
	defer
		# Store the count so it doesn't have to be repeatedly calculated,
		# and so it won't suddenly change later in the ACL (e.g. if an entry
		# was going to expire 1s from now)
		set acl_c8  = ${helocache{count}{5m}}
		condition   = ${if >{$acl_c8}{1}{yes}{no}}
		log_message = changing_helo/$acl_c8
		message     = Access denied - Too many different HELO names ($acl_c8 in the last five minutes)
		condition   = ${perl{rrd_log}{helo}{R}}

ALL HELO names are tracked in the same way, even completely invalid ones and
those rejected by the ACL. The data is available from before the CONNECT ACL
is run, and updated before the HELO ACL is run.


This patch is based loosely on Ollie Cook's version which tracks the previous
HELO name: http://www.olliecook.net/projects/eximpatches/exim-4.30-helo-cache.diff


-- 
Simon Arlott
http://simon.arlott.org/