I think we're missing the point here. Kevin wasn't asking about how to block this particular HELO string, or even its pattern, but instead pointing out that spammers have code in place to randomly generate numbers for the IP. This spammer had a failure that revealed the code...it looks like in this case that the spammer uses a function to randomly generate 2-digit numbers for each octet of the IP.
Darin. ----- Original Message ----- From: "Bill Landry" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, October 20, 2004 8:59 PM Subject: Re: [Declude.JunkMail] Random Helo strings ----- Original Message ----- From: "Kevin Bilbee" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, October 20, 2004 5:53 PM Subject: RE: [Declude.JunkMail] Random Helo strings > Brackets are perfectly valid in the host name if they wrap an ip address. > [xxx.xxx.xxx.xxx]. I have seen this only from valid sources and if I > remember correctly HELOBOGUS will pass a wellformed ip address. Yes, this is correct. However, what you presented was not an IP address, it was bracketed letters: <rnddg[2]>.<rnddg[2]>.<rnddg[2]>.<rnddg[2]> This is clearly not a valid hostname, bracketed or not. In face, even if all of the letter above were numbers, in the format shown about, it is still not a valid bracketed IP address. Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
