Thanks Sean. That was exactly the help I needed. When I changed
FORGED_RCVD_HELO from a zero score, the forgery is detected.
Based on the default weighting, should I assume that FORGED_RCVD_HELO is not
a reliable spam indicator?
-Jim
On Mon, 13 Jun 2005 16:48:28 -0700, Sean Sowell wrote
> Jim Schueler wrote on Monday, June 13, 2005 1138
>
> > I should have been more specific in my original request. The stock rule
to
> > detect HELO forgery is exactly what I'm looking for.
>
> Am new to SA so I don't know how these tests really work or why none
> were displayed in your spample. But here are the HELO forgery rules
> that may relate:
>
> FAKE_HELO_MSN, MAIL_COM, EMAIL_COM, EUDORAMAIL, EXCITE, LYCOS,
> YAHOO_CA, and MAIL_COM_DOM.
>
> HELO_DYNAMIC_IPADDR, DHCP, HCC, ATTBI, ROGERS, ADELPHIA, DIALIN,
> HEXIP, SPLIT_IP, YAHOOBB, OOL, IPADDR2, RR2, COMCAST, TELIA, VTR,
> CHELLO_NO, CHELLO_NL, VELOX, NTL, and HOME_NL.
>
> FORGED_RCVD_HELO
>
> RCVD_HELO_IP_MISMATCH
>
> RCVD_NUMERIC_HELO
>
> RCVD_FAKE_HELO_DOTCOM
>
> NO_RDNS_DOTCOM_HELO
>
> These tests are described on the wiki at
> http://spamassassin.apache.org/tests_3_0_x.html. I cooked up an
> Excel spreadsheet for easier sorting and organizing, and can send it
> to you off-list if you want.
>
> HTH,
>
> Sean Sowell
> www.twin-dad.com
--
Open WebMail Project (http://openwebmail.org)
