[Mimedefang] New spammer trick?
Jon R. Kibler
Jon.Kibler at aset.com
Tue Nov 25 15:11:24 EST 2003
"David F. Skoll" wrote:
>
> Hi,
>
> I've just seen the following three entries in my maillog:
>
<SNIP!>
> This spammer makes both the "from" and "to" address the same as the
> intended recipient. Luckily, in all three cases, the spammer's software
> says "HELO roaringpenguin.com", so I see lines like this in my log (edited
> to wrap better:)
>
> Nov 23 07:43:55 Host 66.56.84.132 said HELO roaringpenguin.com
> Nov 23 07:43:55 filter_relay rejected host 66.56.84.132
> Nov 23 07:43:55 Go away... 66.56.84.132 is not a roaringpenguin.com machine
>
David:
This is what I was seeing a couple of weeks ago when I posted the question about blocking messages that had spoofed email addresses in our domains. I still haven't figured out a good way to handle this in the case where we have dozens of virtual domains connecting from variable sources.
Can you share your code for filter relay based on HELO?
How much legit mail will that end up rejecting? I see a lot of systems where they may say HELO xyz.com and it really be from xyz.com, but the hostname would be some ISP reverse DNS hostname, such as z.y.x.w.qrst.com and the IP be w.x.y.z -- how would your filter handle this?
Thanks!
--
Jon R. Kibler
Chief Technical Officer
A.S.E.T., Inc.
Charleston, SC USA
(843) 849-8214
==================================================
Filtered by: TRUSTEM.COM's Email Filtering Service
http://www.trustem.com/
No Spam. No Viruses. Just Good Clean Email.
More information about the MIMEDefang
mailing list