[Mimedefang] Re: Bouncing on invalid HELO/EHLO
Jeremy Mates
jmates at sial.org
Thu Jun 12 13:44:01 EDT 2003
* Michael Sims <michaels at crye-leike.com>
> It will only work if you do not scan "internal" mail. By internal
> mail I'm referring to any trusted client that is allowed to relay
> mail via the server that MD is installed on. As you've seen, any
> Windows machine using Outlook (and I assume most any other MUA) is
> always going to report its NetBIOS hostname as the EHLO/HELO
> argument.
Eudora appears to use the [IP] syntax; have not looked at what Mozilla
or similar do.
> I think it's a good idea in general to skip the SpamAssassin check for
> mail from trusted networks. I've implemented this in my filter using
> a sub called relayIsTrusted():
The downside being malware hijacking a "trusted" host and turning it
into a spam source, or users throwing up insecure wireless networks used
by drive-by spammers. Assuming the spam touches a central mail server,
logging the SA score allows a log parser to alert someone should spam
originate from a "trusted" address. Another option without SA would be
to monitor the rate of emails being sent out by IP or authenticated
user, with alerts on abnormally high traffic.
More information about the MIMEDefang
mailing list