I think the point was not what to do with this broken one, but that spammers are using random digits for their HELO. One of the HELOISIP plugins should handle those nicely, though...with appropriate weighting.
Darin. ----- Original Message ----- From: "Bill Landry" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, October 20, 2004 7:35 PM Subject: Re: [Declude.JunkMail] Random Helo strings ----- Original Message ----- From: "Kevin Bilbee" <[EMAIL PROTECTED]> > It looks like spammers are starting to randomize their helo strings I just > received this as a helo > > > <rnddg[2]>.<rnddg[2]>.<rnddg[2]>.<rnddg[2]> > > Looks like it is trying to create a random ipaddress for the helo. DNSBLs use client IP address. RHSBLs use envelope/mailfrom domain (depending on spam tool used). SURBLs use URI domain. SFP uses A/PTR/MX records. RDNS checks for a reverse DNS entry. SpamDomains uses envelope sender domain. Etc, etc, etc. Most people do not base much on helo info, except to block on if it's clearly bogus, as this one is. This is not a valid helo hostname and would be blocked by my gateways. And didn't helobogus flag this one? Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
