-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Robert Menschel writes: >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA1 > >Hello Steve, > >Tuesday, November 25, 2003, 10:40:09 AM, you wrote: > >ST> I noticed that this guy's using our domain name as the argument to >ST> the HELO command during the SMTP transaction. So if the address he's >ST> spamming is [EMAIL PROTECTED], his ratware used "HELO example.com". >ST> None of our servers use just our domain name (they all use their >ST> fully qualified hostnames), so I added a custom rule which looked for >ST> "helo=example.com" in the Received: header and scored it at 200 >ST> points to overcome his using a whitelisted From: address (we've >ST> whitelisted [EMAIL PROTECTED]). Works like a charm. > >Interesting catch. I checked my corpus just now for "helo mydomain.tld", >and got four hits, all ham, all emails from my wife to other members of >the family last February. > >I'm guessing that a combination of mail client (Netscape 4.7 at the time) >and other factors may result in ham occasionally having this attribute. FWIW, this is the kind of thing Bayes excels at spotting. - --j. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) Comment: Exmh CVS iD8DBQE/xB5fQTcbUG5Y7woRAjuhAJ9lSM/hatcaVqR8TYYYKt8VVhPUUACgjVLu EPjvR8vZLMG/vTUGwOpog1c= =GPG2 -----END PGP SIGNATURE----- ------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ _______________________________________________ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
