Ooops. That rule should of course be:
header FAKE_HELO_YAHOO
eval:check_for_rdns_helo_mismatch("yahoo\.com","yahoo\.com")
describe FAKE_HELO_YAHOO Host HELO did not match rDNS: yahoo.com
BTW This is stock SA v2.63
On Thu, 20 May 2004, Mark Powell wrote:
> Hi,
> Having problems with messages from yahoo.fr users getting points for
> FAKE_YAHOO_HELO:
>
> Received: from [216.136.131.55] (HELO web11005.mail.yahoo.com)
> (216.136.131.55)
> by pan.salford.ac.uk (qpsmtpd/0.27-dev) with SMTP; Fri, 30 Apr 2004
> 02:36:19 +0100
> Message-ID: <[EMAIL PROTECTED]>
> Received: from [24.215.150.113] by web11005.mail.yahoo.com via HTTP; Fri, 30
> Apr 2004 03:36:08 CEST
> Date: Fri, 30 Apr 2004 03:36:08 +0200 (CEST)
> From: =?iso-8859-1?q?eva=20perrotta?= <[EMAIL PROTECTED]>
> Subject: Probable_SPAM: App. in Paris
> To: xxx
> MIME-Version: 1.0
> Content-Type: text/plain; charset=iso-8859-1
> Content-Transfer-Encoding: 8bit
>
> The host is sending us HELO web11005.mail.yahoo.com from 216.136.131.55. A
> rdns lookup on that address:
>
> # nslookup 216.136.131.55
> Server: ...
> Address: ...
>
> Name: web11005.mail.yahoo.com
> Address: 216.136.131.55
>
> Seems like a false positive to me. I've had to turn this rule off to stop
> annoying our users.
> Cheers.
>
>
--
Mark Powell - UNIX System Administrator - The University of Salford
Information Services Division, Clifford Whitworth Building,
Salford University, Manchester, M5 4WT, UK.
Tel: +44 161 295 4837 Fax: +44 161 295 5888 www.pgp.com for PGP key
