Well, in the few minutes I implemented logging for HELO/PTR TLD mismatch,
I see the following:
- It's catching a lot of viruses. Looks like SoBig's SMTP engine
uses the sender domain as the HELO argument:
Feb 4 11:08:00 www mimedefang.pl[27235]: i14G7x8l027681: TLD Mismatch:
Host 209.42.42.222 said HELO entelchile.net, but name is
user222.209.42.42.dsli.com
Feb 4 11:08:00 www mimedefang.pl[27235]: i14G7x8l027681: Rejected:
Virus Worm.SCO.A - handler Discard
- Unfortunately, it did trigger for one valid message.
- I also had to exempt my own host from the check. :-)
Feb 4 10:24:43 www mimedefang.pl[27235]: TLD Mismatch: Host 127.0.0.1
said HELO www.roaringpenguin.com, but name is localhost.localdomain
Definitely looks like it's worth a few points in SpamAssassin. And
from what I see, if the HELO argument is the same as the sender's domain,
and there's a mismatch, you're very likely looking at MyDoom.
Regards,
David.
_______________________________________________
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
