Kelly Jones wrote the following on 12/6/2006 8:13 PM -0800: > Spamassassin has lots of tests for fake HELOs. If someone says "HELO > hotmail.com", but aren't connecting from a Hotmail IP address, they > get dinged (spam score is increased). > > Recently, someone connected our server, call it mx.xyz.com, and said > "HELO mx.xyz.com". Spamassassin didn't ding it for doing this. > > Is there a ruleset that does this? I realize xyz.com couldn't be > hardcoded (otherwise, it'd be a different ruleset for everyone), but > is there a generic ruleset that uses a function call or something to > figure out your MX server (or the name of the machine spamassassin is > running on) and then ding someone HELO'ing as that?
Why even accept their mail deliveries in the first place? Instead, simply reject them at your MTA. Anyone that connects to my MTA and announces my hostname or IP address to me is immediately rejected with a perm fail. If you cannot or do not want to do that, you could do something like this is SA: header HELO_I_AM_YOU1 X-Spam-Relays-Untrusted =~ /^[^\]]+ helo=host\.example\.com /i describe HELO_I_AM_YOU1 Impostor using my hostname score HELO_I_AM_YOU1 5.0 header HELO_I_AM_YOU2 X-Spam-Relays-Untrusted =~ /^[^\]]+ helo=111\.222\.111\.222 describe HELO_I_AM_YOU2 Impostor using my IP address score HELO_I_AM_YOU2 5.0 Bill
