I guess my rules aren't quite to the point where I can clearly separate the legit mail with bogus HELOs from the spam....without relying on other tests in a weighting system. That's why it wouldn't work for me to block on this alone.
Perhaps you have some better rules in place that some of us are not familiar with and could utilize? For example, I just saw one tonight that forged one of our domains as the HELO, but didn't get detected. I thought there was a test to check the HELO against the Reverse DNS? Darin. ----- Original Message ----- From: "Bill Landry" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, October 20, 2004 8:48 PM Subject: Re: [Declude.JunkMail] Random Helo strings ----- Original Message ----- From: "Kevin Bilbee" <[EMAIL PROTECTED]> > Darin got it correct I was pointing this out becuse some on this list > suggested the blocking an email that has an ip for its hello is not a good > way to block spam. I personally think it is. > > Using HELOISIP or CONTAINSIP is a valid blocking method. If the ip is well > formed [x.x.x.x] I check it against the ip of the connecting servers ip > address if they match I let it through, do not get many spams this way. > Yesterday 346 messages where ip addresses as the helo that is 9% of our > total volume. > > And posting the methods the spammers are using to try to get past spam > blocking is definitly an interest to us all. Maybe so. But I just think that there are some clear telltale signs of spam, and that if they are found, then why not simply reject the message right then and move on. Why do you need further validation that the message is spam? Anyway, just my 2 cents... Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
