> I just grabbed the new 70_sare_header.cf and have gotten a couple of ham
> emails that are triggering the SARE_RECV_SUSP_3 rule -- which is "Dotted
quad
> hostname doesn't match HELO dotted quad." However, I'm not sure why that
is.
> Does it apply only to the HELO to MY server? Or does it check previous
> servers also? Here are the headers:
>
> Received: from portalmail.gmhwh.org (portalmail.gmhwh.org [12.110.19.29]
(may
> be forged)) by frobozz.dcg.com (8.12.11/8.12.11) with ESMTP id
i5FKQ52F022626
> for <[EMAIL PROTECTED]>; Tue, 15 Jun 2004 16:26:06 -0400
> Date: Tue, 15 Jun 2004 16:26:05 -0400
> Message-ID: <[EMAIL PROTECTED]>
> Received: from 192.168.20.11 ([192.168.20.203]) by portalmail.gmhwh.org;
Tue,
> 15 Jun 2004 14:25:39 -0600
The majic in the description of that rule is "dotted quad doesn't match
dotted quad".
The rule scans all received headers (all simple regex rules in SA on
Received will do this).
So all that is known is *some* received header had a forged host id. In
your case it is the second header:
> Received: from 192.168.20.11 ([192.168.20.203]) by portalmail.gmhwh.org;
Tue,
Note that a host claiming to be 192.168.20.11 actually HELOed as
192.168.20.203.
This is a pretty common spam sign, so it gets a point or two; I don't recall
the actual score.
Note that I think both of those addresses are private address space, so I'm
a little surprised that either of them would show up as a valid dotted quad
in a valid address you should see in a header.
Loren
