----- Original Message ----- From: Matthew Bramble > I'm curious as to the exact format of the HELO that Declude matches with this filter. > Based on your code, it suggests that the data contains an IP address and ends with > the sender's HELO domain. I thought that all that was matched with the HELO filter > was the domain name that is reported??? Could you clarify. That will affect how I > exclude webmail.igaia.com from tripping the filter when it is received by igaia.com.
I actually do this type of filtering on my Redhat/Postfix gateways, but here is a sample transcript of a forged hostname connection and a forged IP address connection: ===== Transcript of session follows: Out: 220 gw1.pointshare.com - ESMTP Mail Gateway - UCE not permitted In: HELO gw1.pointshare.com Out: 250 gw1.pointshare.com In: mail from: <[EMAIL PROTECTED]> Out: 250 Ok In: rcpt to: <[EMAIL PROTECTED]> Out: 550 <gw1.pointshare.com>: Helo command rejected: Don't use my hostname Session aborted, reason: lost connection ===== Transcript of session follows: Out: 220 gw1.pointshare.com - ESMTP Mail Gateway - UCE not permitted In: HELO 204.189.38.4 Out: 250 gw1.pointshare.com In: MAIL FROM: <[EMAIL PROTECTED]> Out: 250 Ok In: RCPT TO: <[EMAIL PROTECTED]> Out: 550 <204.189.38.4>: Helo command rejected: Don't use my IP address Session aborted, reason: lost connection ===== In the second instance, the spammer has configured the hostname to match my gateway's IP address. This is not the actual IP address of the connecting mail server, rather it's just a mail server that has an IP address for a hostname instead of a FQHN. I typically block thousands of spam messages with these rules everyday. Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
