[Mimedefang] New spammer trick?

Jon R. Kibler Jon.Kibler at aset.com
Tue Nov 25 15:11:24 EST 2003

"David F. Skoll" wrote:
> Hi,
> I've just seen the following three entries in my maillog:
> This spammer makes both the "from" and "to" address the same as the
> intended recipient.  Luckily, in all three cases, the spammer's software
> says "HELO roaringpenguin.com", so I see lines like this in my log (edited
> to wrap better:)
> Nov 23 07:43:55 Host said HELO roaringpenguin.com
> Nov 23 07:43:55 filter_relay rejected host
> Nov 23 07:43:55 Go away... is not a roaringpenguin.com machine


This is what I was seeing a couple of weeks ago when I posted the question about blocking messages that had spoofed email addresses in our domains. I still haven't figured out a good way to handle this in the case where we have dozens of virtual domains connecting from variable sources.

Can you share your code for filter relay based on HELO?

How much legit mail will that end up rejecting? I see a lot of systems where they may say HELO xyz.com and it really be from xyz.com, but the hostname would be some ISP reverse DNS hostname, such as z.y.x.w.qrst.com and the IP be w.x.y.z -- how would your filter handle this?


Jon R. Kibler
Chief Technical Officer
A.S.E.T., Inc.
Charleston, SC  USA
(843) 849-8214

Filtered by: TRUSTEM.COM's Email Filtering Service
No Spam. No Viruses. Just Good Clean Email.

More information about the MIMEDefang mailing list