I also modified this into two different files, FORGEDHELO-IP and FORGEDHELO-FQDN. The reason for this is that FP's are almost non-existant when the IP is used as the host name, and this allows me to score it higher. Forged DQDN's are definitely more likely to FP. I attached a copy of my filters to this message. They are very effective so far, thanks for the tips. If you don't mind, I would like to publish these when my site is ready. Note though that this doesn't include all of the tweaks suggested in this thread, however I may add them myself.
Matt
# FORGEDHELO-FQDN
# Last Update: 09/23/2003
#
# Description:
# This filter is designed to detect senders that forge the Fully Qualified Domain Name
(FQDN) in
# use on the mail server.
#
# Usage:
# Based on a fail weight of 10.
#
# -----Global.cfg-----
# FORGEDHELO-FQDN filter C:\IMail\Declude\ForgedHELO-FQDN.txt
x 7 0
#
# False Positives:
# Scoring false positives will primarily come from hardware or software with built-in
SMTP
# capabilities for sending automated notifications which are configured either by
default
# or by configuration to use the name of the mail host. Mail clients on computers
using
# the FQDN of the mail server as their computer name can also produce false positives.# Counterbalances: # Negative weighting is applied for Netscape and Mozilla mail clients which use the domain name # listed in the From address. Counterbalancing is not necessary if all local users are # configured to use SMTP AUTH, and Declude is configured for WHITELIST AUTH (v1.76+) in # combinationwith IMail 8+. # # Test Exclusions: # Messages containing the Netscape/Mozilla marker in the headers. HEADERS -7 CONTAINS mozilla # Filter Matches: # Looks for FQDN's configured on the server. Domains should be listed as they appear in E-mail # addresses as well as how they appear in MX records. Explicit matching (IS) should be used in # order to prevent false positives. # # A good tool for generating a list of domains that you serve is ExtractUsers which is found at # http://dev.myownemail.com/Imail/ExtractUsers.htm , placed in c:\extractusers\ directory, and # run from the command line with "c:\extractUsers\extractUsers.exe -f c:\extractusers". This will # output a file called Domains.txt among other things which can be used to create a list of # domains for use in this filter. #HELO 0 IS example.com #HELO 0 IS mail.example.com HELO 0 IS alanbyervolvo.com HELO 0 IS albanynylawyer.com HELO 0 IS artsleague.org HELO 0 IS changingspacesgallery.com HELO 0 IS cjscaramerica.com HELO 0 IS confirminc.com HELO 0 IS conversionvans.net HELO 0 IS coopergroup.com HELO 0 IS cweaver.com HELO 0 IS dailygrind.com HELO 0 IS deejaynet.com HELO 0 IS doostore.com HELO 0 IS gmauburnautomall.com HELO 0 IS hartnettlawoffices.com HELO 0 IS hhfd.org HELO 0 IS hlford.com HELO 0 IS humphreyfam.com HELO 0 IS igaia.com HELO 0 IS inglesperformance.com HELO 0 IS larkstreetcomputers.com HELO 0 IS mercurios.com HELO 0 IS merrittseed.com HELO 0 IS missionmeadows.org HELO 0 IS murrellfam.com HELO 0 IS ndimensional.org HELO 0 IS net-arts.org HELO 0 IS nyautos.com HELO 0 IS nycars.com HELO 0 IS nyeauto.com HELO 0 IS paolozzi.com HELO 0 IS peckspages.com HELO 0 IS plumberboy.com HELO 0 IS portmojo.com HELO 0 IS preciseinc.com HELO 0 IS randycramer.com HELO 0 IS raritancontainer.com HELO 0 IS reymore.com HELO 0 IS salinalibrary.org HELO 0 IS salisburymotorcar.com HELO 0 IS saturnwatertown.com HELO 0 IS skinnerauto.com HELO 0 IS skinnerdamulis.com HELO 0 IS skipparsons.com HELO 0 IS slivinski.com HELO 0 IS standardweb.com HELO 0 IS standrewsalbany.org HELO 0 IS targetcny.com HELO 0 IS thebrambles.com HELO 0 IS tripolipi.com HELO 0 IS mail.alanbyervolvo.com HELO 0 IS mail.albanynylawyer.com HELO 0 IS mail.artsleague.org HELO 0 IS mail.changingspacesgallery.com HELO 0 IS mail.cjscaramerica.com HELO 0 IS mail.confirminc.com HELO 0 IS mail.conversionvans.net HELO 0 IS mail.coopergroup.com HELO 0 IS mail.cweaver.com HELO 0 IS mail.dailygrind.com HELO 0 IS mail.deejaynet.com HELO 0 IS mail.doostore.com HELO 0 IS mail.gmauburnautomall.com HELO 0 IS mail.hartnettlawoffices.com HELO 0 IS mail.hhfd.org HELO 0 IS mail.hlford.com HELO 0 IS mail.humphreyfam.com HELO 0 IS mail.igaia.com HELO 0 IS mail.inglesperformance.com HELO 0 IS mail.larkstreetcomputers.com HELO 0 IS mail.mercurios.com HELO 0 IS mail.merrittseed.com HELO 0 IS mail.missionmeadows.org HELO 0 IS mail.murrellfam.com HELO 0 IS mail.ndimensional.org HELO 0 IS mail.net-arts.org HELO 0 IS mail.nyautos.com HELO 0 IS mail.nycars.com HELO 0 IS mail.nyeauto.com HELO 0 IS mail.paolozzi.com HELO 0 IS mail.peckspages.com HELO 0 IS mail.plumberboy.com HELO 0 IS mail.portmojo.com HELO 0 IS mail.preciseinc.com HELO 0 IS mail.randycramer.com HELO 0 IS mail.raritancontainer.com HELO 0 IS mail.reymore.com HELO 0 IS mail.salinalibrary.org HELO 0 IS mail.salisburymotorcar.com HELO 0 IS mail.saturnwatertown.com HELO 0 IS mail.skinnerauto.com HELO 0 IS mail.skinnerdamulis.com HELO 0 IS mail.skipparsons.com HELO 0 IS mail.slivinski.com HELO 0 IS mail.standardweb.com HELO 0 IS mail.standrewsalbany.org HELO 0 IS mail.targetcny.com HELO 0 IS mail.thebrambles.com HELO 0 IS mail.tripolipi.com
# FORGEDHELO-IP # Last Update: 09/23/2003 # # Description: # This filter is designed to detect senders that forge the receiving mail server's IP in # the HELO as the name of the sending server. There are no valid reasons to forge a local # IP, and therefore this test should be scored for automatic rejection. # # Usage: # Based on a fail weight of 10. # # -----Global.cfg----- # FORGEDHELO-IP filter C:\IMail\Declude\ForgedHELO-IP.txt x 15 0 # # False Positives: # Intra-network software configured improperly to use the IP as the hostname in HELO. Dimac # JMail and MIME::Lite have shown this behavior. # Counterbalances: # Negative weighting is applied for intra-network devices, software or Web sites that by # default use or are configured to use an IP in a ranges defined in this filter. # # Test Exclusions: # None by default. #HELO -15 CONTAINS x.x.x.x # Filter Matches: # IP addresses that are configured for use on the mail server. CIDR ranges may not be used # as this filter is designed to detect text strings and not actual addresses. Class C ranges # can be specified by leaving off the trailing octet. The reserved localhost address is also # included. #HELO 0 CONTAINS x.x.x. (whole Class C) #HELO 0 CONTAINS x.x.x.x (single addresses) HELO 0 CONTAINS 127.0.0.1 HELO 0 CONTAINS 208.7.179.
