- Original Message -
From: Kevin Bilbee [EMAIL PROTECTED]
It looks like spammers are starting to randomize their helo strings I just
received this as a helo
rnddg[2].rnddg[2].rnddg[2].rnddg[2]
Looks like it is trying to create a random ipaddress for the helo.
DNSBLs use client IP
PROTECTED]
Sent: Wednesday, October 20, 2004 7:35 PM
Subject: Re: [Declude.JunkMail] Random Helo strings
- Original Message -
From: Kevin Bilbee [EMAIL PROTECTED]
It looks like spammers are starting to randomize their helo strings I just
received this as a helo
rnddg[2].rnddg[2
- Original Message -
From: Darin Cox [EMAIL PROTECTED]
I think the point was not what to do with this broken one, but that
spammers
are using random digits for their HELO. One of the HELOISIP plugins
should
handle those nicely, though...with appropriate weighting.
Precisely my
the weighting of the HELOBOGUS and HELOISIP tests.
Darin.
- Original Message -
From: Bill Landry [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Wednesday, October 20, 2004 7:55 PM
Subject: Re: [Declude.JunkMail] Random Helo strings
- Original Message -
From: Darin Cox [EMAIL PROTECTED
an interest to us all.
Kevin Bilbee
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Bill Landry
Sent: Wednesday, October 20, 2004 4:55 PM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.JunkMail] Random Helo strings
- Original Message -
From: Darin Cox
Bill,
There is great value in knowing these patterns, and simply having a
bogus HELO is not enough to consider something as being spam.
When spammers randomize header elements, they actually create patterns
that can be tracked. This is ever evolving. Clearly we know about the
use of the MX's
- Original Message -
From: Darin Cox [EMAIL PROTECTED]
Hmmm...I think we all care. Knowing what the spammers are doing helps us
block it. It's one thing to have a test that identifies it. It's another
to know what the spammers are doing and use that info wisely.
I think the point
- Original Message -
From: Matt [EMAIL PROTECTED]
There is great value in knowing these patterns, and simply having a
bogus HELO is not enough to consider something as being spam.
In this case I think it is good enough to consider it spam. It is not an
RFC compliant helo hostname,
: [Declude.JunkMail] Random Helo strings
- Original Message -
From: Darin Cox [EMAIL PROTECTED]
Hmmm...I think we all care. Knowing what the spammers are doing helps us
block it. It's one thing to have a test that identifies it. It's another
to know what the spammers are doing and use
Bill,
Please remember the old thing about YYMV, and also that different
people have different standards.
Your suggestion to block invalid HELO's would create big issues for my
system, in fact I only weight HELOBOGUS at about 25% of my hold
weight. For instance, have you ever seen a message
- Original Message -
From: Kevin Bilbee [EMAIL PROTECTED]
Darin got it correct I was pointing this out becuse some on this list
suggested the blocking an email that has an ip for its hello is not a good
way to block spam. I personally think it is.
Using HELOISIP or CONTAINSIP is a
- Original Message -
From: Darin Cox [EMAIL PROTECTED]
Because we see a lot of legitimate mail that fails HELO/EHLO, we cannot
block on this alone. You're extremely lucky if you've found that all
bogus
HELOs are spam. There's a thread in the IMail forum right now discussing
MS
mail
PROTECTED] Behalf Of Bill Landry
Sent: Wednesday, October 20, 2004 5:38 PM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.JunkMail] Random Helo strings
- Original Message -
From: Matt [EMAIL PROTECTED]
There is great value in knowing these patterns, and simply having a
bogus HELO
at that just in case.
Darin.
- Original Message -
From: Bill Landry [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Wednesday, October 20, 2004 8:37 PM
Subject: Re: [Declude.JunkMail] Random Helo strings
- Original Message -
From: Matt [EMAIL PROTECTED]
There is great value
- Original Message -
From: Kevin Bilbee [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Wednesday, October 20, 2004 5:53 PM
Subject: RE: [Declude.JunkMail] Random Helo strings
Brackets are perfectly valid in the host name if they wrap an ip address.
[xxx.xxx.xxx.xxx]. I have seen
- Original Message -
From: Matt [EMAIL PROTECTED]
Please remember the old thing about YYMV, and also that different people
have different standards.
Your suggestion to block invalid HELO's would create big issues for my
system, in fact I only weight HELOBOGUS at about 25% of my hold
]
To: [EMAIL PROTECTED]
Sent: Wednesday, October 20, 2004 8:48 PM
Subject: Re: [Declude.JunkMail] Random Helo strings
- Original Message -
From: Kevin Bilbee [EMAIL PROTECTED]
Darin got it correct I was pointing this out becuse some on this list
suggested the blocking an email that has an ip
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Bill Landry
Sent: Wednesday, October 20, 2004 5:49 PM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.JunkMail] Random Helo strings
- Original Message -
From: Kevin Bilbee [EMAIL PROTECTED]
Darin got
- Original Message -
From: Darin Cox [EMAIL PROTECTED]
Because we don't know it's spam. Web scripts and MS clients often have
bad
HELO strings. Yes, it would be nice if we could block just on this, but
we
can't as we see legit mail with bad HELO info.
I suspect you're probably
]
Subject: Re: [Declude.JunkMail] Random Helo strings
- Original Message -
From: Kevin Bilbee [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Wednesday, October 20, 2004 5:53 PM
Subject: RE: [Declude.JunkMail] Random Helo strings
Brackets are perfectly valid in the host name
Of Bill Landry
Sent: Wednesday, October 20, 2004 6:04 PM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.JunkMail] Random Helo strings
- Original Message -
From: Matt [EMAIL PROTECTED]
Please remember the old thing about YYMV, and also that different people
have different standards
in
this case that the spammer uses a function to randomly generate 2-digit
numbers for each octet of the IP.
Darin.
- Original Message -
From: Bill Landry [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Wednesday, October 20, 2004 8:59 PM
Subject: Re: [Declude.JunkMail] Random Helo strings
[EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Wednesday, October 20, 2004 9:03 PM
Subject: Re: [Declude.JunkMail] Random Helo strings
- Original Message -
From: Matt [EMAIL PROTECTED]
Please remember the old thing about YYMV, and also that different people
have different standards.
Your
- Original Message -
From: Darin Cox [EMAIL PROTECTED]
I guess my rules aren't quite to the point where I can clearly separate
the
legit mail with bogus HELOs from the spamwithout relying on other
tests
in a weighting system. That's why it wouldn't work for me to block on
this
- Original Message -
From: Kevin Bilbee [EMAIL PROTECTED]
I was replying to your comment that you block helo strings thar are ip
addresses. Look at your previous post.
Nope, never said that and have never done that. The only exception, like I
said, is if the connecting mail server
: [Declude.JunkMail] Random Helo strings
- Original Message -
From: Darin Cox [EMAIL PROTECTED]
I guess my rules aren't quite to the point where I can clearly separate
the
legit mail with bogus HELOs from the spamwithout relying on other
tests
in a weighting system. That's why it wouldn't
] Random Helo strings
- Original Message -
From: Kevin Bilbee [EMAIL PROTECTED]
I was replying to your comment that you block helo strings
thar are ip
addresses. Look at your previous post.
Nope, never said that and have never done that. The only
exception, like I said
.
- Original Message -
From: Bill Landry [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Wednesday, October 20, 2004 9:09 PM
Subject: Re: [Declude.JunkMail] Random Helo strings
- Original Message -
From: Darin Cox [EMAIL PROTECTED]
Because we don't know it's spam. Web scripts and MS clients
Darin.
- Original Message -
From: Bill Landry [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Wednesday, October 20, 2004 9:09 PM
Subject: Re: [Declude.JunkMail] Random Helo strings
- Original Message -
From: Darin Cox [EMAIL PROTECTED]
Because we don't know it's spam
- Original Message -
From: Darin Cox [EMAIL PROTECTED]
No Postfix, but something I may think about.
I block about 60,000 messages per day at each of my two Postfix gateways
using a combination of client, hostname, header checks and greylisting
filter rules. Obviously this takes a huge
- Original Message -
From: Kevin Bilbee [EMAIL PROTECTED]
Ok this is what I was responding to. You are correct you
did not say that but [] are valid in the HELO string if they
are in the form of a well formed IP. We have a few customers
that send mail with the HELO being a
31 matches
Mail list logo