[Mimedefang] Re: Noting "may be forged" and IP-only HELO in filter_end

[Dirk the Daring]

On Sun, 12 Mar 2006 mimedefang-request at lists.roaringpenguin.com wrote:

>------------------------------
>From: John Rudd <john at rudd.cc>
>
>For the IP-only HELO, or for HELO addresses you don't like, why not
>reject it during filter_helo?  That's when I do it (though, I don't
>think I'm doing it for IP-only HELO's, I'm just doing it for obviously
>stupid HELO's, like ones that claim to be from my own domain when the
>IP addr isn't in my block, or from localhost when it's not localhost).

  Who said I was going to wait until filter_end to reject it? As I noted
in my original query, I already reject the "stupid" HELOs long before
filter, let alone filter_end.

  What I've noticed is that, often, what little SPAM leaks thru used an
IP-only HELO. My purpose is to globally increase the SPAM scores of any
foreign E-Mail where the mailserver HELO'd me IP-only, and also combine
that bit of information (the fact that the HELO was IP-only) with other
facts (e.g. a positive return from ClamAV) to see if I want to
bit-bucket the E-Mail before I bother calling SpamAssassin.

  My philosophy is that the sooner I can ID and dump obviously garbage
E-Mail, the less of my resources the SPAMmer/phisher/cracker gets to
consume.

>------------------------------
>From: "David F. Skoll" <dfs at roaringpenguin.com>
>
>> I'd like to use the [HELO] information in filter_end, but I don't
>> have the HELO string
>
>Yes, you do.  It's in the global variable $Helo.

    Ah. Thanks for pointing that out.

>----------------------------------------------------------------------

   I'm still interested in finding out if anyone knows of a low-cost way
to pick up on sendmail's determination of "may be forged" as it
eventually shows in the "Received: from" header.