> From: "Hill Ruyter" > I am getting a lot of mail recently that is passing my HELO tests and > callouts > but it has clear fakery that I could test for if I knew how
That's not the only suspicious sign. I don't get such spam (with different From and envelope-from) thanks other tests. But I get messages I need with my email address in From and different envelope-from. > Received: from [74.72.203.118] (helo=cpe-74-72-200-118.nyc.res.rr.com) Here $sender_hostname is empty because cpe-74-72-200-118.nyc.res.rr.com resolves to 74.72.200.118, not 74.72.203.118. Besides, the "74-72-200-118" part of $sender_helo_name also is suspicions (looks like a dynamic IP-address). Both these suspictions in my opinion don't warrant outright "deny" (because that's fraught with false positives), but in such cases I greylist which works in practice, even without callouts. I attached parts of my config (performing these checks among others) to http://wiki.exim.org/DbLessGreyListingRun That greylisting implementation is very simple, without SQL and such, just create a directory and a cronjob, use the attached config snippets and it works. Ham (messages I need) are not delayed because I greylist only suspicious messages. -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
