[Mimedefang] HELO/PTR TLD mismatch
David F. Skoll
dfs at roaringpenguin.com
Wed Feb 4 11:16:42 EST 2004
Well, in the few minutes I implemented logging for HELO/PTR TLD mismatch,
I see the following:
- It's catching a lot of viruses. Looks like SoBig's SMTP engine
uses the sender domain as the HELO argument:
Feb 4 11:08:00 www mimedefang.pl[27235]: i14G7x8l027681: TLD Mismatch:
Host 209.42.42.222 said HELO entelchile.net, but name is
user222.209.42.42.dsli.com
Feb 4 11:08:00 www mimedefang.pl[27235]: i14G7x8l027681: Rejected:
Virus Worm.SCO.A - handler Discard
- Unfortunately, it did trigger for one valid message.
- I also had to exempt my own host from the check. :-)
Feb 4 10:24:43 www mimedefang.pl[27235]: TLD Mismatch: Host 127.0.0.1
said HELO www.roaringpenguin.com, but name is localhost.localdomain
Definitely looks like it's worth a few points in SpamAssassin. And
from what I see, if the HELO argument is the same as the sender's domain,
and there's a mismatch, you're very likely looking at MyDoom.
Regards,
David.
More information about the MIMEDefang
mailing list