[Mimedefang] filter-relay, rejection on bogus helo
Kelson Vibber
kelson at speed.net
Tue Jan 6 13:31:57 EST 2004
At 08:59 AM 1/6/2004, Chris Myers wrote:
>Also, an additional 1% of spam messages try to use a HELO with a random
>hostname in your domain, or the hostname of your mail server. I've
>generally found this also to be a safe criteria for blocking messages.
Note that if you do this on a server that also handles outbound mail from
remote clients, the filter needs to make an exception for authorized
clients. At least one mail client, Eudora, builds its HELO string from the
hostname of your computer and the domain name of your mail server. (We see
clients sending mail from bob at customerdomain.com with a HELO of
bobsmachine.speed.net.)
If all your users are on a few static IP blocks, then the job is
easy. Otherwise, you'll need to make the HELO filter aware of smtp-auth,
drac, or whatever remote relay controls you use - which means you probably
won't be able to do the check in filter_relay.
We don't see much in the way of random-hostname HELOs, but we do block
nearly a thousand messages a day (after SBL and DSBL) that use our server's
IP address as the HELO string, and a few dozen using our hostname.
Kelson Vibber
SpeedGate Communications <www.speed.net>
More information about the MIMEDefang
mailing list