[Mimedefang] Revisit: Filtering on HELO
Kevin A. McGrail
kmcgrail at pccc.com
Fri Mar 16 11:44:28 EDT 2007
>> I find HELO-filtering very effective in stopping spammers before they
>> get to waste my resources. After all, why bother with RBLs, Clam and/or
>> SpamAssassin if the spammer is stoopid enuf to tip their hand at HELO? At
>> the same time, I don't want to create a situation where my filter has a
>> great risk of false-positives
> I've been logging helo strings for a few weeks. Requiring a valid
> helo will definitely get a significant minority of false positives.
I disagree but perhaps we have less stringent checks.
We have processed millions of emails with helo filtering with virtually no
problems except for 3ware/AMCC's poorly handle 3DM software sending invalid
HELO statements and their engineers being unable to fix the issue.
We check for localhost or 127.0.0.1
We check for our name.
We check for our IP address with/without ['s
We check for helo of friend
We check for helo where length < 3 or doesn't have dots.
I do NO forward<->reverse comparisons.
I then couple this with a check for valid mx.
But all of these are excluded for authorized users.
Been very pleased with the results and I'm a big believer in minimizing FPs.
More information about the MIMEDefang