Because we don't know it's spam. Web scripts and MS clients often have bad HELO strings. Yes, it would be nice if we could block just on this, but we can't as we see legit mail with bad HELO info.
I suspect you're probably blocking some legit mail as well...but maybe not. Might want to look at that just in case. Darin. ----- Original Message ----- From: "Bill Landry" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, October 20, 2004 8:37 PM Subject: Re: [Declude.JunkMail] Random Helo strings ----- Original Message ----- From: "Matt" <[EMAIL PROTECTED]> > There is great value in knowing these patterns, and simply having a > bogus HELO is not enough to consider something as being spam. In this case I think it is good enough to consider it spam. It is not an RFC compliant helo hostname, and only a spammer is going to include something like brackets "[]" and greater-than/less-than "<>" symbols in their hostname. That's good enough for me to reject delivery on. To me it's no different that a spammer trying to send me mail and using my server's hostname or IP address as their own helo hostname - I reject these outright. > When spammers randomize header elements, they actually create patterns > that can be tracked. This is ever evolving. Clearly we know about the > use of the MX's IP as the HELO, and also the use of the reverse DNS > entry as the HELO, and now it appears that there might be a different > pattern of some sort in use by at least one spammer. My feeling is why bother. Why expend the resources to process something that you know is spam? Anyway, I respect all of your opinions, this one just happens to be mine, and I'm sticking by it... ;-) Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
