We've done this for over a year (and block true IP forging at the routers -- the test gets the ones that forge HELO as the IP). No false positives (I am often out of the office with my notebook and use SMTP AUTH to send then, no problems), lots of spam. You do NOT need any of the below, as the test grabs up only those who are forging the name or IP of the mail server receiving the mail (and if you have multiple email servers, they should have different names, IP's and versions of this test or offset catching partial domain matches by using negative weight for internal IP's). This works just find on IMAIL 7.x, Declude (all version for last year or so) and does not require WHITELIST AUTH. I'm not sure what part of these rules you see requiring the more advanced features of IMAIL 8?
The only difference in the tests below and the ones we use is that we do a full match on some (IS not CONTAINS) as analysis of our log files showed that those who pull this type of forging always do a complete matchup, not a partial forgery (that we have seen so far). I use CONTAINS on domain name, as notebooks coming from the outside never include the domain their authentication (that I have seen). In any case, the original poster is using a fairly low weight (for us) to flag these --- we hold any forged HELO/EHLO automatically and have never had a false positive due to it. Specificaly, we use (with our domain instead of "example" and out internal IP instead of "x.x.x.x"): # catch attempt to pretend to be us HELO 15 CONTAINS example.com HELO 30 IS x.x.x.x HELO 30 IS 127.0.0.1 HELO 30 CONTAINS $domain HELO 15 STARTSWITH [ REVDNS 15 ENDSWITH .in-addr.arpa where 10 is a review weight (used to be 15), 30 is hold (reviewed bi-monthly, possibly, only searched if something expected is missing -- I've only ever had one legit msg held in over a year, even as we dropped this from 60 down to 30). 60 is delete (as are many banned senders and porn site/senders). As our FP rate at 10-30 is so low and I can't remember one over 20 in a long time, the hold weight will probably be dropping soon. Karen Oland > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Matthew Bramble > Sent: Tuesday, September 23, 2003 1:16 AM > To: [EMAIL PROTECTED] > Subject: Re: [Declude.JunkMail] Another very effective filter test > > > Bill, > > One other very important note. You need to be using IMail 8, WHITELIST > AUTH with Declude 1.76b and make sure that all the mail clients are > configured to use SMTP AUTH, otherwise intra-server E-mail is going to > get tagged. I can't use this in it's present form because I'm using > IMail 7 :( > > Am I missing something? > > Matt > > > > Bill Landry wrote: > > >This test is very effective at flagging or blocking spam from mail hosts > >that attempt to connect to your mail server and announce your > own hostnames > >or IP addresses to it in their HELO string, especially if your > IMail/Declude > >server is directly sending and receiving mail from the Internet (less > >functional, but still works if relaying via mail gateway to > IMail/Declude). > >This filter looks for the bogus HELO info in the headers. In my testing, > >100% of the messages delivered by these mail hosts is spam. > > > >Think about it, why would any other legitimate mail server out > there attempt > >to connect to your mail server announcing your own hostname or > IP address in > >its HELO string? The answer is, it wouldn't. Anyway, here is the test I > >use to detect these. > > > >In global.cfg: > >FORGEDHELO-FILTER filter M:\IMail\Declude\ForgedHelo-Filter.txt x 7 0 > > > >In ForgedHelo-Filter.txt file: > >===== > ># In case you have mail gateways, deduct equal weight for these hosts > >HELO -7 ENDSWITH gw1.yourdomain.com > >HELO -7 ENDSWITH gw2.yourdomain.com > > > ># Remote mail hosts connecting and announcing your IP addresses > >HELO 0 CONTAINS xxx.xxx.xxx. > >HELO 0 CONTAINS xxx.xxx.xxx. > > > ># Remote mail hosts connection and announcing your hostnames > >HELO 0 ENDSWITH your-host.com > >HELO 0 ENDSWITH your-host.net > >HELO 0 ENDSWITH cust-host.com > >HELO 0 ENDSWITH cust-host.net > >===== > > > >If you are not already running a test like this, try it out. I think you > >will find that it will flag lots of spam. > > > >Bill > > > > > > > > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
