Gordon Messmer writes:
On 05/20/2015 08:05 AM, Lindsay Haisley wrote: > The helo address in rate-limited spams tells a lot. ... > They observed that commercial spamming > operations engage in what's called "domain tasting" from registrars > ... Large spam spews from these people cover a huge range of IP > addresses and an infinite number of domain names, but I'm seeing > only half a dozen or so name servers for these domain names.What do you get from the HELO data that you don't get from the envelope sender address? Wouldn't you get the same or better set of nameservers if you look up NS for the domain in the from=<> entry in the log?
HELO is a good canary in the coalmine. Legitimate mail senders will pay attention and configure their mail servers properly, so that their HELO matches their DNS address.
Although this is not a difficult task, fly-by-night spam spewers want to come up, and unload their spew ASAP, and often don't have the time to properly set up reverse DNS, and make their mail config agree. Sometimes they do, but many times they don't. It's a useful metric.
pgpiHiErDnnD1.pgp
Description: PGP signature
------------------------------------------------------------------------------ One dashboard for servers and applications across Physical-Virtual-Cloud Widest out-of-the-box monitoring support with 50+ applications Performance metrics, stats and reports that give you Actionable Insights Deep dive visibility with transaction tracing using APM Insight. http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users