Exim HELO cache

Tracks the unique HELO/EHLO names used per IP in a hints database, which can then be used in ACLs to deny access to common spam zombie behaviour.

ALL HELO names are tracked in the same way, even completely invalid ones and those rejected by the ACL. The data is available from before the CONNECT ACL is run, and updated each time before the HELO ACL is run.

Documentation

helo_cache Use: main Type: boolean Default: false

Enables or disables caching of HELO or EHLO names used per IP, making the data available using ${helocache...}.

helo_cache_max Use: main Type: integer Default: 4

Sets the maximum number of HELO or EHLO names to cache per IP.

helo_cache_time Use: main Type: time Default: 1d

Sets the maximum time any specific HELO or EHLO name is cached per IP.

Note that whole records older than this are not automatically removed.


${helocache{<mode>}{<string>}}

This function provides access to the HELO/EHLO cache data.

For <mode> "count":
Returns a count of unique HELO/EHLO names for the duration specified in <string>. Specify "0" to get a count of all the names stored.
For <mode> "name":
Returns the HELO/EHLO name with ID <string>, numbered from 1 and in reverse chronological order.
For <mode> "time":
Returns the timestamp of the last use of the HELO/EHLO name with ID <string>, numbered from 1 and in reverse chronological order.

Example

22:48:48 SMTP connection from [200.6.227.119]:25548 (TCP/IP connection count = 1)
22:48:54 no IP address found for host 119.227.6.200.intelnet.net.gt (during SMTP connection from [200.6.227.119]:25548)
22:48:55 H=(RAPINET-MN8LN3G) [200.6.227.119]:25548 rejected EHLO or HELO rapinet-mn8ln3g: invalid_hosthelo
22:48:55 SMTP connection from (RAPINET-MN8LN3G) [200.6.227.119]:25548 closed by DROP in ACL
22:49:06 SMTP connection from [200.6.227.119]:25756 (TCP/IP connection count = 1)
22:49:11 no IP address found for host 119.227.6.200.intelnet.net.gt (during SMTP connection from [200.6.227.119]:25756)
22:49:12 H=(RAPINET-MN8LN3G.m6iiw.com) [200.6.227.119]:25756 temporarily rejected EHLO or HELO rapinet-mn8ln3g.m6iiw.com: changing_helo/2
22:49:13 H=(RAPINET-MN8LN3G.m6iiw.com) [200.6.227.119]:25756 temporarily rejected EHLO or HELO rapinet-mn8ln3g.m6iiw.com: changing_helo/2
22:49:14 SMTP connection from [200.6.227.119]:25756 lost

Conveniently these hosts don't continue to send the email (which is possible despite the 4xx reply to the HELO), so there is no danger of rejecting mail from real hosts because of a DROP verb.

Configuration

# Enable or disable HELO caching (default: false)
helo_cache = true

# Maximum number of unique names to cache (default: 4)
helo_cache_max = 4

# Expiry time of individual HELO names and whole records (default: 1d)
helo_cache_time = 1d

HELO ACL

drop
	condition   = ${if match{$sender_helo_name}{\N^\[\N}{no}{yes}}
	condition   = ${if match{$sender_helo_name}{\N\.\N}{no}{yes}}
	log_message = invalid_hosthelo
	message     = Access denied - Invalid HELO name (See RFC2821 4.1.1.1)
		
defer
	# Store the count so it doesn't have to be repeatedly calculated,
	# and so it won't suddenly change later in the ACL (e.g. if an entry
	# was going to expire 1s from now)
	set acl_m1  = ${helocache{count}{5m}}
	condition   = ${if >{$acl_m1}{1}{yes}{no}}
	log_message = changing_helo/$acl_m1
	message     = Access denied - Too many different HELO names ($acl_m1 in the last five minutes)

Download

The code is released under the GNU General Public License (GPL).

This patch is based loosely on Ollie Cook's version which tracks the previous HELO name.


|
Wishlist
|
Blog

Last modified 2008-01-26T10:12:18+00:00.
©2002-2018 Simon Arlott. All Rights Reserved.