Brackets are perfectly valid in the host name if they wrap an ip address. [xxx.xxx.xxx.xxx]. I have seen this only from valid sources and if I remember correctly HELOBOGUS will pass a wellformed ip address.
Kevin Bilbee > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Bill Landry > Sent: Wednesday, October 20, 2004 5:38 PM > To: [EMAIL PROTECTED] > Subject: Re: [Declude.JunkMail] Random Helo strings > > > ----- Original Message ----- > From: "Matt" <[EMAIL PROTECTED]> > > > There is great value in knowing these patterns, and simply having a > > bogus HELO is not enough to consider something as being spam. > > In this case I think it is good enough to consider it spam. It is not an > RFC compliant helo hostname, and only a spammer is going to include > something like brackets "[]" and greater-than/less-than "<>" symbols in > their hostname. That's good enough for me to reject delivery on. To me > it's no different that a spammer trying to send me mail and using my > server's hostname or IP address as their own helo hostname - I > reject these > outright. > > > When spammers randomize header elements, they actually create patterns > > that can be tracked. This is ever evolving. Clearly we know about the > > use of the MX's IP as the HELO, and also the use of the reverse DNS > > entry as the HELO, and now it appears that there might be a different > > pattern of some sort in use by at least one spammer. > > My feeling is why bother. Why expend the resources to process something > that you know is spam? Anyway, I respect all of your opinions, this one > just happens to be mine, and I'm sticking by it... ;-) > > Bill > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
