Jack L. Stone writes: > On 7 Dec 2006 at 13:21, Justin Mason wrote: > > Kelly Jones writes: > > > Spamassassin has lots of tests for fake HELOs. If someone says > > > "HELO hotmail.com", but aren't connecting from a Hotmail IP > > > address, they get dinged (spam score is increased). > > > > > > Recently, someone connected our server, call it mx.xyz.com, and > > > said "HELO mx.xyz.com". Spamassassin didn't ding it for doing > > > this. > > > > > > Is there a ruleset that does this? I realize xyz.com couldn't > > > be hardcoded (otherwise, it'd be a different ruleset for > > > everyone), but is there a generic ruleset that uses a function > > > call or something to figure out your MX server (or the name of > > > the machine spamassassin is running on) and then ding someone > > > HELO'ing as that? > > > > This is a great spam-sign alright, but I don't know of a way to > > detect what the local site's HELO is, bar each site writing their > > own rules to do so. > > > > Bayes does a good job of figuring this out, btw. > > > > Any suggestions? > > I use milter-regex as the frontline wall and this regex for > catching fakers: > > ## HELO faking my own IP address > tempfail "Malformed HELO (can't be me)" > helo /^70\.86\.37\.82$/ > > HTH.....
yeah -- there are any number of ways to do this, if requiring admin configuration is OK -- I'm asking for ways we can automatically figure it out from SpamAssassin code, without help. ;) --j.
