Re: [Declude.JunkMail] Another very effective filter test

[Matthew Bramble]

Bill, This looks to be more promising than filtering for forged MAILFROM's (because of the FP's that exist there).  The spam that has gotten through which forged the MAILFROM also forged the HELO, while the legit stuff had appropriate HELO's listed. I have one issue though that others might need to work around.  I have MS SMTP on the same machine configured at the .16 address, however when it hands off to my main domain, MS SMTP forges the IP as being that of the server it's handing off to, .15 in this instance, but it uses the proper name given to the MS SMTP server.  Here's an example: Received: from webmail.igaia.com [208.7.179.15] by igaia.com with ESMTP   (SMTPD32-7.13) id A541250019C; Mon, 22 Sep 2003 18:18:41 -0400 Received: from mail pickup service by webmail.igaia.com with Microsoft SMTPSVC; Mon, 22 Sep 2003 18:18:41 -0400 Reply-To: "<snip>" <snip> From: "<snip>" <snip> To: "<snip>" <snip> Subject: Used Vehicle Inquiry - <snip> Date: Mon, 22 Sep 2003 18:18:41 -0400 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Message-ID: <[EMAIL PROTECTED]> X-OriginalArrivalTime: 22 Sep 2003 22:18:41.0563 (UTC) FILETIME=[7A9B1EB0:01C38157] X-Declude-Sender: <snip> [208.7.179.15] X-Declude-Spoolname: D75410250019c9ee6.SMD X-Note: This E-mail was scanned by iGaia Incorporated's E-mail service (www.igaia.com) for spam. X-Note: This E-mail was sent from igaia.com ([208.7.179.15]). X-Spam-Tests-Failed: NOLEGITCONTENT, BCC-1, BCC-3, FORGEDASLOCAL, DYNAMIC [0] X-RCPT-TO: <snip> Status: U X-UIDL: 364035046 Clearly this isn't proper behavior for MS SMTP (unless I'm mistaken about something).  In this instance, it would be necessary to provide exclusions for every instance of MS SMTP.  I'm not sure what happens when MS SMTP forges the IP like this when hosted on a different server, maybe one out of your control, but I suspect that happens also according to the "Smart Host" if it is configured to hand off such messages (as mine is).  If MS SMTP is configured to attempt delivery itself, I would imagine that it will report the proper IP in the HELO. Some software and hardware devices that send out notifications with their own SMTP engine will also make the HELO whatever the configuration says it is, and people will often use their own primary mail domain in this which would FP on this test.  I have two such devices from my customer base that are doing this.  Firewalls seem to be the most common offenders. Besides those two issues which people may need to work around, this seems like a solid test. I'm curious as to the exact format of the HELO that Declude matches with this filter.  Based on your code, it suggests that the data contains an IP address and ends with the sender's HELO domain.  I thought that all that was matched with the HELO filter was the domain name that is reported???  Could you clarify.  That will affect how I exclude webmail.igaia.com from tripping the filter when it is received by igaia.com. You can answer that one tomorrow if you wish...I'm giving up on these late-late nights. Matt Bill Landry wrote: This test is very effective at flagging or blocking spam from mail hosts that attempt to connect to your mail server and announce your own hostnames or IP addresses to it in their HELO string, especially if your IMail/Declude server is directly sending and receiving mail from the Internet (less functional, but still works if relaying via mail gateway to IMail/Declude). This filter looks for the bogus HELO info in the headers. In my testing, 100% of the messages delivered by these mail hosts is spam. Think about it, why would any other legitimate mail server out there attempt to connect to your mail server announcing your own hostname or IP address in its HELO string? The answer is, it wouldn't. Anyway, here is the test I use to detect these. In global.cfg: FORGEDHELO-FILTER filter M:\IMail\Declude\ForgedHelo-Filter.txt x 7 0 In ForgedHelo-Filter.txt file: ===== # In case you have mail gateways, deduct equal weight for these hosts HELO -7 ENDSWITH gw1.yourdomain.com HELO -7 ENDSWITH gw2.yourdomain.com # Remote mail hosts connecting and announcing your IP addresses HELO 0 CONTAINS xxx.xxx.xxx. HELO 0 CONTAINS xxx.xxx.xxx. # Remote mail hosts connection and announcing your hostnames HELO 0 ENDSWITH your-host.com HELO 0 ENDSWITH your-host.net HELO 0 ENDSWITH cust-host.com HELO 0 ENDSWITH cust-host.net ===== If you are not already running a test like this, try it out. I think you will find that it will flag lots of spam. Bill