Andrew,
I think that you misunderstood.
If you have a local domain of "example.com" and an E-mail comes in with a Mail From of "[EMAIL PROTECTED]" with a HELO of "asdfdfasdfsafdsafd.asddsfadfas.asddfs", then HELOBOGUS will not trigger even though this is a bogus HELO. This isn't a bug, this was by design back in the day before you could whitelist authenticated users so that you didn't tag your own users with such tests when they would likely fail them since home PC's tend to not use Internet resolvable HELO names. Now with WHITELIST AUTH, one can safely use this test on all E-mail's that Declude scans, regardless of whether or not the Mail From is a local domain.
I also indicated that in addition to the above, there was the known issue (also by design) where Declude disables any IP4R test (possibly others) that contain the letters "DUL", DYNA" or "DUHL" in the name for E-mails that have a Mail From that is local to the server, even when forged. My work around for this was to stop using that naming convention for DUL tests since it was only benefiting spammers on my system since I started using WHITELIST AUTH. Unlike the DUL trick, the HELOBOGUS thing can't be worked around.
Matt
Colbeck, Andrew wrote:
Matt, (pause while I put on my iron codpiece) this sounds like a good place for an IMail implementation to use SPF records as self-defense.
It sounds like what you're looking for is a two-fer that maps valid client space with valid domain names to detect spoofing, and HELOBOGUS will only do part of the job. Or am I just putting words in your mouth?
Andrew 8)
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Monday, April 11, 2005 2:54 PM To: [email protected] Subject: [Declude.JunkMail] HELOBOGUS only fails with non-local senders
I was scratching my head real hard on this one, but found the answer in the release notes and I think that given changes over time, our friends at Declude should consider revising how this limiting of the HELOBOGUS test works.
I noted in the release notes for 1.57 [Beta, 30 Jul 2002] that the HELOBOGUS "will now only be tested on non-local senders." With the invention of WHITELIST AUTH, this is unnecessary for any server that is configured for this. Zombie spammers and viruses will often enough forge a local sender in the Mail From along with using bogus HELO names,
but the HELOBOGUS test won't trigger in that event due to this old fix.
I agree that at the time this was totally necessary just like disabling DUL tests for local senders was, and the only method that could be used was checking the Mail From, but for systems that can whitelist all local
users, it would be beneficial to have the added value of these tests under these conditions by way of a switch in the config file. I would imagine that the switch would be in the form of something like "LOCALHELOBOGUS ON" and "LOCALDUL ON". I believe that the DUL part has been discussed before and possibly agreed to that it was a good idea for
a future revision. I would hope that the same consideration could be given to the HELOBOGUS skipping of local senders.
Thanks,
Matt
-- ===================================================== MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =====================================================
--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
