Date: Thu, 13 Mar 2003 00:57:39 -0800

From: Devin Carraway <qpsmtpd-list@devin.com>
To: qpsmtpd@perl.org
Subject: HELO hook and check plugin

Speaking of direct-to-MX spam, both AOL and Yahoo are large companies
with whole walls-full of servers devoted to mail delivery.  None of them
announce themselves with "HELO yahoo.com" or "HELO aol.com."  Spammers
certainly do, though.

Here's a patch to SMTP.pm to add hooks for HELO and EHLO, and a plugin
to use them.


git-svn-id: https://svn.perl.org/qpsmtpd/trunk@119 958fd67b-6ff1-0310-b445-bb7760255be9

config.sample/badhelo

@@ -0,0 +1,4 @@
+# these domains never uses their domain when greeting us, so reject transactions
+aol.com
+yahoo.com
+

lib/Qpsmtpd/SMTP.pm

@@ -101,10 +101,19 @@ sub helo {
   my $conn = $self->connection;
   return $self->respond (503, "but you already said HELO ...") if $conn->hello;
 
-  $conn->hello("helo");
+  my ($rc, $msg) = $self->run_hooks("helo", $hello_host);
-  $conn->hello_host($hello_host);
+  if ($rc == DONE) {
-  $self->transaction;
+    # do nothing
-  $self->respond(250, $self->config('me') ." Hi " . $conn->remote_info . " [" . $conn->remote_ip ."]; I am so happy to meet you.");
+  } elsif ($rc == DENY) {
+    $self->respond(550, $msg);
+  } elsif ($rc == DENYSOFT) {
+    $self->respond(450, $msg);
+  } else {
+    $conn->hello("helo");
+    $conn->hello_host($hello_host);
+    $self->transaction;
+    $self->respond(250, $self->config('me') ." Hi " . $conn->remote_info . " [" . $conn->remote_ip ."]; I am so happy to meet you.");
+  }
 }
 
 sub ehlo {
@@ -112,16 +121,25 @@ sub ehlo {
   my $conn = $self->connection;
   return $self->respond (503, "but you already said HELO ...") if $conn->hello;
 
-  $conn->hello("ehlo");
+  my ($rc, $msg) = $self->run_hooks("ehlo", $hello_host);
-  $conn->hello_host($hello_host);
+  if ($rc == DONE) {
-  $self->transaction;
+    # do nothing
+  } elsif ($rc == DENY) {
+    $self->respond(550, $msg);
+  } elsif ($rc == DENYSOFT) {
+    $self->respond(450, $msg);
+  } else {
+    $conn->hello("ehlo");
+    $conn->hello_host($hello_host);
+    $self->transaction;
 
-  $self->respond(250,
+    $self->respond(250,
 		 $self->config("me") . " Hi " . $conn->remote_info . " [" . $conn->remote_ip ."]",
 		 "PIPELINING",
 		 "8BITMIME",
 		 ($self->config('databytes') ? "SIZE ". ($self->config('databytes'))[0] : ()),
 		);
+  }
 }
 
 sub mail {

plugins/check_spamhelo

@@ -0,0 +1,37 @@
+=head1 NAME
+
+check_spamhelo - Check a HELO message delivered from a connecting host.
+
+=head1 DESCRIPTION
+
+Check a HELO message delivered from a connecting host.  Reject any
+that appear in the badhelo config -- e.g. yahoo.com and aol.com, which
+neither the real Yahoo or the real AOL use, but which spammers use
+rather a lot.
+
+=head1 CONFIGURATION
+
+Add domains or hostnames to the F<badhelo> configuration file; one
+per line.
+
+=cut
+
+sub register {
+  my ($self, $qp) = @_;
+  $self->register_hook("helo", "check_helo");
+  $self->register_hook("ehlo", "check_helo");
+}
+
+sub check_helo {
+  my ($self, $transaction, $host) = @_;
+  ($host = lc $host) or return DECLINED;
+  
+  for my $bad ($self->qp->config('badhelo')) {
+    if ($host eq lc $bad) {
+      $self->log(5, "Denying HELO from host claiming to be $bad");
+      return (DENY, "Uh-huh.  You're $host, and I'm a boil on the bottom of the Marquess of Queensbury's great-aunt.");
+    }
+  }
+  return DECLINED;
+}
+