The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Exim / HELO question (to help stop viruses & spam)

Discussion in 'General Discussion' started by sneader, Sep 14, 2004.

  1. sneader

    sneader Well-Known Member

    Joined:
    Aug 21, 2003
    Messages:
    1,126
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    La Crosse, WI
    cPanel Access Level:
    Root Administrator
    Hi there. I see an awful lot of e-mail coming into my server, where the remote SMTP server says: HELO mydomain.com -- meaning, they are using MY DOMAIN as the HELO. And these all seem to be viruses and spam.

    In this example, my server name is www3.mydomain.com, and my mail server is mail.mydomain.com:

    Received: from [62.101.126.218] (helo=mydomain.com)
    by www3.mydomain.com with esmtp (Exim 4.42)
    id 1C7ATx-0003mN-Ng
    for sneader@mydomain.com; Tue, 14 Sep 2004 05:24:18 -0500 ​

    The 62.101.126.218 IP is not my server... it is some virus infected user, or their ISPs server.

    The point is... I can't think of a legitimate reason why any incoming mail would come into my server and claim in the HELO command that it is my domain, right?

    Can this be rejected? Like "if HELO = mydomain.com, then reject" ???

    - Scott
     
  2. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    IIRC, you can access the HELO/EHLO argument in ACL context, so you should cerainly be able to. A good read of the exim docs would be needed though:
    http://www.exim.org
     
  3. tambo

    tambo Member

    Joined:
    Apr 29, 2002
    Messages:
    16
    Likes Received:
    0
    Trophy Points:
    1
    Any solution to this?
     
  4. dezignguy

    dezignguy Well-Known Member

    Joined:
    Sep 26, 2004
    Messages:
    534
    Likes Received:
    0
    Trophy Points:
    16
    I outright reject any email coming from a server that spoofs any of my domains or my ip addresses in their helo... it's not at all valid for them to be doing that and no legitimate server should ever emulate that behavior. Only viruses and spam hosts do the spoof helo's... it's because they think they can get better access by fooling your server into thinking it's local/trusted. Obviously there are enough so called admins who did/do base their security off the untrusted helo information, to cause the virus writers and spammers to write their software with this 'feature'.

    Anyways... I use ASSP - http://assp.sourceforge.net - as a spam/virus filtering proxy in front of my exim mailserver... and I block the fake helos at that stage as well. So, I can't really help you with the exim configs for what you want to do.
     
  5. iCARus

    iCARus Well-Known Member

    Joined:
    Apr 8, 2003
    Messages:
    113
    Likes Received:
    0
    Trophy Points:
    16
Loading...

Share This Page