Because we see a lot of legitimate mail that fails HELO/EHLO, we cannot block on this alone. You're extremely lucky if you've found that all bogus HELOs are spam. There's a thread in the IMail forum right now discussing MS mail clients that send machine names without FQDN, and would thus fail the A and MX lookup tests on the HELO.
Our first priority is to deliver all legitimate mail to our customers. Second is blocking spam and viruses. Darin. ----- Original Message ----- From: "Bill Landry" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, October 20, 2004 8:24 PM Subject: Re: [Declude.JunkMail] Random Helo strings ----- Original Message ----- From: "Darin Cox" <[EMAIL PROTECTED]> > Hmmm...I think we all care. Knowing what the spammers are doing helps us > block it. It's one thing to have a test that identifies it. It's another > to know what the spammers are doing and use that info wisely. > > I think the point is to watch your incoming for the possibility of > increasing the weighting of the HELOBOGUS and HELOISIP tests. Okay, then I can understand that you will need to watch for these very closely. I already catch these 100% of the time and will not even accept their delivery, so no need to spam check or virus scan them. I just checked, and even IMail can handle these: "Verify HELO/EHLO domain" >From the IMail help file: ===== HELO/EHLO Domain Verification The domain passed during the HELO/EHLO is used to perform a DNS query to verify that the domain specified has an "A" record or an "MX" record. If this test fails, an X-Header is inserted into the message. ===== In this section you can also specify "Delete messages after ??? matches". Set this to "1" and forget it. Obviously the hostname is non-RFC-compliant, and therefore will fail both the "A" and "MX" lookups, so why even bother processing the message any further? Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.