After reading about IP based HELO blocking at junnkemailfilter.com and getting 3 spams today, looked at the headers:


Return-path:
Envelope-to: gregg@mochabomb.com
Delivery-date: Tue, 24 Feb 2009 04:34:44 -0800
Received: from [89.149.214.67] (helo=[192.168.139.26])
by vps2.mochabomb.info with smtp (Exim 4.69)
(envelope-from )
id 1LbwUm-00044i-AB
for gregg@mochabomb.com; Tue, 24 Feb 2009 04:34:44 -0800
FROM: "Postcodeloterij-nl"
TO:
SUBJECT: CLAIM YOUR PRIZE:
DATE: 24 Feb 09 1:34:31 PM


to block a helo with an IP literal makes sense nowadays - no legitimate server will use an IP based hostname - maybe in the happy trusting 1980's, but not now where nearly 99% of email traffic is spam..

Exim is new to me - so resorted to google to help here to get it implemented...
Found the solution here:
Exim mailing list

Armed with some code - lets block some spammers!

/etc/exim.conf

########################################################################################
# DO NOT ALTER THIS BLOCK  (yes - we will alter)
########################################################################################

acl_mail:

# ignore authenticated hosts
        accept authenticated = *

.. some rules..

drop
    condition  = ${if and {{match {$sender_helo_name}{\N^\[(.+)\]$\N}}{isip4 {$1}}}{true}{false}}
    message     = Access denied - IP based HELO not allowed. (See RFC2821 4.1.3)

Of course you have a backup copy in case this one got borked...

restart exim and then enjoy the results with tail /var/log/exim_mainlog or whatever yours is.