Filtering based on HELO <domain> ?

Hi All!

I've got one spammer consistently spamming my domain (getting
around RBL lists *and* TMDA), by forging my own domain
in the (SMTP) MAIL FROM command, and the HELO command,
and of course moving his sending IP around to various foriegn hacked
systems - not relaying. (He's using primarily MS-SQL Hello overflow
bug)

My question is: Has anyone written a patch to qmail-smtpd to filter
out certain domains in the HELO command of a SMTP transaction?

I'd like to drop the connection on anyone who tries to uses one of
my own domains in a HELO command from the outside world. That's
the only way I can think of to filter out this particular spammer.

Eric

------------------------------------------------------------
Return-Path: <eric@ericcox.com>
Delivered-To: eric@ericcox.com
Received: (qmail 23983 invoked by uid 0); 20 Jul 2003 09:55:38 -0000
Received: from unknown (HELO ericcox.com) (62.57.58.219)
by dream with SMTP; 20 Jul 2003 09:55:38 -0000
Received: from joan-qle15dsadc [62.57.58.219] by ericcox.com with
MailMXPro(2195.53);
dom, 20 jul 2003 18:46:35 -0600
From: "hott smith" <eric@ericcox.com>
To: <eric@ericcox.com>
Subject: Why should you refinance your mortgage?
Date: dom, 20 jul 2003 18:46:35 -0600
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_227_7TD_70OLDR2978.ENV2551I"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Return-Path: eric@ericcox.com
Abuse-Tracking: <WlhKcFkwQmxjbWxqWTI5NExtTnZiUT09>

EC> I've got one spammer consistently spamming my domain (getting
EC> around RBL lists *and* TMDA), [...]

By the looks of things, he's using <eric@ericcox.com> as the
envelope sender. Do you have an autoresponder at that mailbox ?

UBM senders use autoresponders to evade challenge-response systems
like TMDA and "qsecretary". It would seem that in this case your
own autoresponder is being used to evade your own challenge-response
system.

Check your logs. Find out from whence TMDA is receiving the
confirmation message.

EC> That's the only way I can think of to filter out this
EC> particular spammer.

A better way would be to get rid of the autoresponder.

EC> Received: (qmail 23983 invoked by uid 0); 20 Jul 2003 09:55:38 -0000

You've also misconfigured your SMTP Relay server. "qmail-smtpd"
should _not_ be being invoked as the superuser.

"Eric Cox" <eric-dated-1059140862.513ec2@ericcox.com> writes:

> I've got one spammer consistently spamming my domain (getting
> around RBL lists *and* TMDA), by forging my own domain
> in the (SMTP) MAIL FROM command, and the HELO command,
> and of course moving his sending IP around to various foriegn hacked
> systems - not relaying. (He's using primarily MS-SQL Hello overflow
> bug)

Don't whitelist your domain--only whitelist specific valid addresses
in your domain (not your own).

> My question is: Has anyone written a patch to qmail-smtpd to filter
> out certain domains in the HELO command of a SMTP transaction?

I believe Bruce Guenter's mailfront can do that.

--
Dave Sill Oak Ridge National Lab, Workstation Support
Author, The qmail Handbook <http://web.infoave.net/~dsill>
<http://lifewithqmail.org/>: Almost everything you always wanted to know.

"Dave Sill" <MaxFreedom@sws5.ctd.ornl.gov> wrote in message
news:wx0y8ysdoru.fsf@sws5.ornl.gov...
> "Eric Cox" <eric-dated-1059140862.513ec2@ericcox.com> writes:
>
> > I've got one spammer consistently spamming my domain (getting
> > around RBL lists *and* TMDA), by forging my own domain
> > in the (SMTP) MAIL FROM command, and the HELO command,
> > and of course moving his sending IP around to various foriegn hacked
> > systems - not relaying. (He's using primarily MS-SQL Hello overflow
> > bug)
>
> Don't whitelist your domain--only whitelist specific valid addresses
> in your domain (not your own).

Rats. I was hoping you wouldn't say that....LOL

> > My question is: Has anyone written a patch to qmail-smtpd to filter
> > out certain domains in the HELO command of a SMTP transaction?
>
> I believe Bruce Guenter's mailfront can do that.

Thanks Dave, I'll check that out...

Eric

EC> That's the only way I can think of to filter out this
EC> particular spammer.

JdeBP> A better way would be to get rid of the autoresponder.

EA> Nooooo way. TMDA stops at least 90% of the spam.

I didn't say "get rid of TMDA". I said "get rid of the autoresponder",
meaning the autoresponder on <eric@ericcox.com> that I asked whether you had
earlier in that same message.