-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello Steve,
Tuesday, November 25, 2003, 10:40:09 AM, you wrote: ST> I noticed that this guy's using our domain name as the argument to ST> the HELO command during the SMTP transaction. So if the address he's ST> spamming is [EMAIL PROTECTED], his ratware used "HELO example.com". ST> None of our servers use just our domain name (they all use their ST> fully qualified hostnames), so I added a custom rule which looked for ST> "helo=example.com" in the Received: header and scored it at 200 ST> points to overcome his using a whitelisted From: address (we've ST> whitelisted [EMAIL PROTECTED]). Works like a charm. Interesting catch. I checked my corpus just now for "helo mydomain.tld", and got four hits, all ham, all emails from my wife to other members of the family last February. I'm guessing that a combination of mail client (Netscape 4.7 at the time) and other factors may result in ham occasionally having this attribute. Bob Menschel -----BEGIN PGP SIGNATURE----- Version: PGP 8.0 iQA/AwUBP8QQeJebK8E4qh1HEQJ0DACeJmfAHEFxDwESZG5wyyT1ch1xSQgAn3mE Gb790lTOyEGq8J7m3cS/DG2b =THls -----END PGP SIGNATURE----- ------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ _______________________________________________ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
