On Tue, 25 Nov 2003 10:40:09 -0800 Steve Thomas <[EMAIL PROTECTED]> wrote:
> On Tue, Nov 25, 2003 at 01:22:51PM -0500, Tony Bunce is rumored to have said: > > > > I have been seeing lots of spam like this getting through recently > > > > Anyone have any ideas how to reduce this type of spam from getting > > through? > > I noticed that this guy's using our domain name as the argument to the > HELO command during the SMTP transaction. So if the address he's > spamming is [EMAIL PROTECTED], his ratware used "HELO example.com". None > of our servers use just our domain name (they all use their fully > qualified hostnames), so I added a custom rule which looked for > "helo=example.com" in the Received: header and scored it at 200 points > to overcome his using a whitelisted From: address (we've whitelisted > [EMAIL PROTECTED]). Works like a charm. If none of your mailservers HELO as example.com and your organization is the only one that might legitimately send mail with that HELO, why bother accepting the traffic at all? This sounds like a job for your MTA's access list. Bonus points for dropping mail from machines that HELO as your mail servers dotted-ip address or as <localhost>. -- Bob Apthorpe ------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ _______________________________________________ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
