On Thu, Dec 07, 2006 at 03:16:53AM -0800, John Rudd wrote: > >If either the HELO or > >the envelope sender domain points back at the sending IP, it is > >also allowed. Unless, of course, either of those are generic rDNS > >or [] bracketed IP constructs. > > If you can make the second part work (sender's domain points back to the > sending IP), I'd be happy to incorporate it as an option to the main
Cool. I'll send you a patch if I get it working. > code base. I'm not sure I'd care about what the HELO string says, > though. If it's a botnet sender, it could fake the HELO string. But if > the sender's domain really does resolve back to that host, that's a very > good indication that we've got a real mail server sitting on a bad IP addr. Of course it could fake the HELO. The idea is that it doesn't help to send the reverse DNS name again, but it might send some other domain that can be linked to the sending IP. If it's part of a botnet, it is unlikely to have another forward DNS entry pointing to it. And if it has, there's more proof that the owner of the domain is facilitating spammers. Current practice seems to show that the HELO is usually a lone hostname, so that's not going to help. To get around this, the spammer will have to update his DNS zone and include all botnet IPs somewhere. We'll deal with that when it gets that far :) I'll include it, configurable, OK? :) > (where's the spamtools mailing list?) http://www.abuse.net/spamtools.html traffic is varying, usually low to extremely low, sometimes no messages in months, sometimes several dozen messages a day if a particularly controversial subject has been hit. Hm, there's an online archive, but now I cannot find the message where this idea of checking HELO and envelope sender originated. I believe RfG mentioned it... but it'd take too much time right now to search all of his posts in my current archive. -- Jan-Pieter Cornet <[EMAIL PROTECTED]> !! Disclamer: The addressee of this email is not the intended recipient. !! !! This is only a test of the echelon and data retention systems. Please !! !! archive this message indefinitely to allow verification of the logs. !! _______________________________________________ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list [email protected] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
