This section contains tricks to identify spam based on the HELO message.

It's probably a good idea to put the following into each of these stanzas to prevent blocking mail from your own system.

condition = ${if !eq{$interface_address}{$sender_host_address}}

HELO is an IP Address

drop  message = "REJECTED - Bad HELO - IP address not allowed [$sender_helo_name]"
      condition = ${if isip {$sender_helo_name}}

HELO is my hostname

Sometimes spammers impersonate the hostname of the MX they are delivering their junk to. This ACL drops those connections. Since only spam tools seem to use such an HELO, this ACL is pretty safe.

drop  message   = "REJECTED - Bad HELO - Host impersonating [$sender_helo_name]"
      condition = ${if match{$sender_helo_name}{$primary_hostname}{yes}{no}}

HELO is one of my Domains

Sometimes spammers will try to send spam by impersonating one of our domains in the HELO. This ACL assumes that you have a domainlist called all_mail_handled_locally.

Be sure to use this AFTER your authenticated SMTP and other bless email that you will forward for, since some mail clients use the domain part of the senders address as the HELO string.

drop  message = "REJECTED - Bad HELO - Host impersonating [$sender_helo_name]"
      condition = ${if match_domain{$sender_helo_name}{+all_mail_handled_locally}{true}{false}}

HELO is faked interface address

Some spammers put the server's interface address they connect to in their HELO, maybe asuming it is whitelisted or something.

  drop condition = ${if eq{[$interface_address]}{$sender_helo_name}}
       message   = $interface_address is _my_ address

Note: If you are running your mailserver with a private IP address behind NAT, you have to replace $interface_address with your outside global IP address (if it's static). Somebody could have the same setup with the same IP address, his smtp client will be blocked then.

HELO is malformed

Sometimes HELO is malformed and non-RFC compliant. It can be either an IP address or a valid FQDN. One can wonder why so many spamming zombies won't send a valid HELO... At least it makes the job easier.

 deny  message       = Bad HELO: $sender_helo_name is not your address ($sender_host_address)
       condition     = ${if and { \
                         {isip {$sender_helo_name} } \
                         { !match_ip{$sender_helo_name}{$sender_host_address} } \
                         } \
                       {1}{0}}
 deny  condition     = ${if and { \
                         { !isip{$sender_helo_name} } \
                         { !match{${lc:$sender_helo_name}}{^([a-z0-9][a-z0-9-]*\\.)+[a-z]\{2,6\}\$}} \
                       }}
       message       = malformed HELO ($sender_helo_name)

http://www.exim.org/eximwiki/AclHeloTricks