-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
David B Funk writes:
> On Tue, 30 Mar 2004, Tom Emerson wrote:
>
> > well, I wouldn't want to intentionally submit a virus to an e-mail
> > reflector,
> > now would I? :) That said, here is the content of the message [sans nasty
> > attachment] for your enjoyment:
> >
> > -------the message--------
> > Return-Path: <[EMAIL PROTECTED]>
> > Received: from postoffice.pacbell.net [207.115.63.79]
> > by localhost with POP3 (fetchmail-6.2.3)
> > for [EMAIL PROTECTED] (single-drop); Mon, 29 Mar 2004 11:19:35 -0800
> > (PST)
> > Received: from vmj-ext.prodigy.net by vmj with SMTP; Mon, 29 Mar 2004
> > 14:11:57
> > -0500
> > X-Originating-IP: [156.63.253.3]
> > Received: from pacbell.net (pix-n253-3.treca.org [156.63.253.3])
> > by vmj-ext.prodigy.net (8.12.10/8.12.10) with ESMTP id i2TJBtrf044712
> > for <[EMAIL PROTECTED]>; Mon, 29 Mar 2004 14:11:56 -0500
> > Message-Id: <[EMAIL PROTECTED]>
> > From: [EMAIL PROTECTED]
> > To: [EMAIL PROTECTED]
> > Subject: Re: Submit a Virus Sample
> > Date: Mon, 29 Mar 2004 14:10:51 -0500
> > MIME-Version: 1.0
> > Content-Type: multipart/mixed;
> > boundary="----=_NextPart_000_0016----=_NextPart_000_0016"
> [snip..]
>
> Note the 'HELO' name the virus used ("from pacbell.net").
> The 'HELO' name == recipient's domain name which is common
> virus behaivor.
>
> A large amount of viri and moderate amount of spam can be stopped
> cold if you configure your MTA to reject messages that use your
> own DNS-name/IP-address in their 'HELO'.
> (IE anybody else who claims to be "me" is an imposterer who's up
> to no good ;).
>
> Some lame or misconfigured clients will take the DNS name from
> the user's address and use that for a HELO name. So I do not
> do that check on my MSA for our clients, but do enforce it
> on all our incoming MTA servers.
Apple's Mail.app, for one, if I recall correctly.
But agreed, it's a great rule for incoming messages from the
internet; Bayes picks it up nicely, too.
- --j.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Exmh CVS
iD8DBQFAac6iQTcbUG5Y7woRAvwEAKCAD5ESLC6k6EVXF6SmaQbA/6W83ACfevKr
HnD+SwVVlL0/aqp534VGghw=
=kTZo
-----END PGP SIGNATURE-----
