Anyone on EXIM could try out following ACL's to block messages which present dubious HELO/EHLO.
###HELO CHECK START
# No HELO/EHLO
deny
condition = ${if eq{$sender_helo_name}{}{yes}{no}}
message = Polite hosts say HELO first\n\
Please see RFC 2821 section 4.1.1.1
log_message = Bad HELO: Empty HELO
#Forged HELO (our ip/hostname) ##
deny
condition = ${if eq{$sender_helo_name}{$interface_address}{yes}{no}}
message = Forged HELO: you are not $sender_helo_name
log_message = Forged HELO: is our interface address
deny
condition = ${if match_domain{$sender_helo_name}{+local_domains}{yes}{no}}
message = Forged HELO AS PER RFC STANDARDS: you are not $sender_helo_name
log_message = Forged HELO: $sender_helo_name is one of our local domains
##Modified End ##
# Forged HELO (IP address does not match)
deny
condition = ${if isip{$sender_helo_name}{yes}{no}}
condition = ${if eq{$sender_helo_name}{$sender_host_address}{no}{yes}}
message = Forged HELO: you are not $sender_helo_name
log_message = Forged HELO: ip does not match
# Hacked HELO (DOMAIN.com) (constructed by viruses)
deny
condition = ${if match \
{$sender_helo_name}{\N^[A-Z0-9]+\.[a-z]+$\N}{yes}{no}}
condition = ${if match \
{$sender_helo_name}{\N^[0-9]+\.[a-z]+$\N}{no}{yes}}
message = Hacked HELO: you are not $sender_helo_name
log_message = Hacked HELO: constructed by viruses
# Tipical unexistant domains
deny
condition = ${if match {$sender_helo_name}\
{(backup.lst|localhost.localdomain)}\
{yes}{no}}
message = Bad HELO: $sender_helo_name does not exist\n\
Please see RFC 2821 section 4.1.1.1
###HELO CHK END ###
Post implementation, please keep a watch on logs to see if something unwanted is happening.... Shouldn't though as this has been tested for about a week by us....
Thanx
HyTC
###HELO CHECK START
# No HELO/EHLO
deny
condition = ${if eq{$sender_helo_name}{}{yes}{no}}
message = Polite hosts say HELO first\n\
Please see RFC 2821 section 4.1.1.1
log_message = Bad HELO: Empty HELO
#Forged HELO (our ip/hostname) ##
deny
condition = ${if eq{$sender_helo_name}{$interface_address}{yes}{no}}
message = Forged HELO: you are not $sender_helo_name
log_message = Forged HELO: is our interface address
deny
condition = ${if match_domain{$sender_helo_name}{+local_domains}{yes}{no}}
message = Forged HELO AS PER RFC STANDARDS: you are not $sender_helo_name
log_message = Forged HELO: $sender_helo_name is one of our local domains
##Modified End ##
# Forged HELO (IP address does not match)
deny
condition = ${if isip{$sender_helo_name}{yes}{no}}
condition = ${if eq{$sender_helo_name}{$sender_host_address}{no}{yes}}
message = Forged HELO: you are not $sender_helo_name
log_message = Forged HELO: ip does not match
# Hacked HELO (DOMAIN.com) (constructed by viruses)
deny
condition = ${if match \
{$sender_helo_name}{\N^[A-Z0-9]+\.[a-z]+$\N}{yes}{no}}
condition = ${if match \
{$sender_helo_name}{\N^[0-9]+\.[a-z]+$\N}{no}{yes}}
message = Hacked HELO: you are not $sender_helo_name
log_message = Hacked HELO: constructed by viruses
# Tipical unexistant domains
deny
condition = ${if match {$sender_helo_name}\
{(backup.lst|localhost.localdomain)}\
{yes}{no}}
message = Bad HELO: $sender_helo_name does not exist\n\
Please see RFC 2821 section 4.1.1.1
###HELO CHK END ###
Post implementation, please keep a watch on logs to see if something unwanted is happening.... Shouldn't though as this has been tested for about a week by us....
Thanx
HyTC
