-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Charles Gregory writes: > Hallo! > > Equally applicable to viruses and spam: > > I am seeing bogus received headers like the following. We are 'hwcn.org', > of course, but the inside the parentheses domain is not hwcn.org related. > I believe this means they have tried to 'HELO' as hwcn.org, but RDNS found > their real domain name? > > Received: from hwcn.org (h24-81-114-183.vc.shawcable.net [24.81.114.183]) > by host.hwcn.org (Postfix) with ESMTP id CCACE48233 > for <[EMAIL PROTECTED]>; Thu, 25 Mar 2004 04:14:58 -0500 (EST) > > Would a test like the following work okay? > > header FAKHELO Received =~ /hwcn.org \(.*[(?!199\.212\.94\.[0-9]+).*]\)/i > > (where 199.212.94.? is our class C for the negative look-ahead) > > Or would I get false positives on this from badly configured mail > clients? I can see not doing it the other way around. But particularly > with the latest batch of viruses, this is a combination I wouldn't mind > 'zapping'..... Strongly recommended, BTW -- a lot of spamware does this, and so far only Bayes can pick it up. - --j. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Exmh CVS iD8DBQFAYyp5QTcbUG5Y7woRAtvaAKDRetrds1uUxrlNX7r6SHJQmMaxhACeOOBZ jRcOuMEF81ygcuUXQcT6JRQ= =5/CL -----END PGP SIGNATURE-----
