Andrew - Supernews wrote:
"Bill" == Bill Hacker <[EMAIL PROTECTED]> writes:
*SNIP*
It is a _NORMAL_ case for the HELO domain to be different to the domain
"Not uncommon", yes, Dunno if 'Normal' fits so well w/r MTA's.
*SNIP*
However, and this is the important point, looking for multiple different
HELO values from a single ip is a _MASSIVELY_ effective way of detecting
apparent ? potential ?
spam sources. If you configure your server to use a variable HELO then
you _will_, sooner or later, find that people end up blocking you as a
result.
'To be determined'. Or if they are of concern to our clients.
We only recently began allowing traffic to/from yahooligans, AOL,
msn, and the like. Used to have to just block 'em. Both ways.
If you've never used this method of detecting spam (and it takes
a fairly large mail flow into several domains to really do it right)
The technique you outline should be applicable even on very light
traffic, from a single active zombie up. One bad-actor at a time.
While it is not required to e aware that said source is also being
rude to the neighbors, I suspect they would already be in RBL's.
Our rejectlog shows *many* quite obvious spam-bots that such a
test would (also) flag.
But - they were caught without any need of retaining/comparing
IP or helo information or investing DB resources,
.. and before 'expensive' external RBL or SA checks,
...arguably with a lower false-positive rate as well.
Rationale for that satement?
Most of the truants abandoned the connection in the first 30-45 seconds
of their *first* jail term, 'didn't last a minute' IOW.
Well-behaved MTA are more patient than the average spam engine.
you
would not believe how amazingly effective it can be.
Compare it with the rejectlog from any/all other tools,
and it should be clear that it is potentially VERY effective.
However - compare it with the mainlog on the same criteria and note
that it might be more problematic w/r false-positives than other
approaches - most of which are simpler / lower maintenance.
YMMV, YOCD
BTW - 'supernews.net' ?
Interesting concept, that of charging a subscription fee for usenet access.
Perhaps someone there would be interested in packaging our Hong Kong
air and selling it? Thick enough to pass for curry powder.... ;-)
Bill
--
## List details at http://www.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://www.exim.org/eximwiki/
