sub filter_recipient {
my ($recipient, $sender, $ip, $hostname, $first, $helo, ... etc...)
# do some other stuff $ forged HELO from myself
if ($helo =~ /aaa.bbb.ccc.ddd/ ) {
return("REJECT", "$hostname ([$ip]) is a HELO spoofer.");
}# do some other stuff }
Hey, it already caught a hundred spams in the time it took me to type in this message. I love simple, effective ways of catching this stuff as early as possible. Thanks for the idea.
--On Wednesday, January 14, 2004 2:51 PM -0500 Pierre Thomson <[EMAIL PROTECTED]> wrote:
I have noticed that some spam engines (zombies?) use the receiving relay's IP address as the HELO name, presumably trying to look like a trusted source. I made a simple test for this, and it triggers for nearly 10% of inbound spam.
# substitute your relay's numeric IP address for AAA BBB CCC DDD below
header PT_SPOOFME Received =~ /from AAA\.BBB\.CCC\.DDD/ describe PT_SPOOFME pretending to be from ourselves! score PT_SPOOFME 3.0
--- "The avalanche has already begun. It is too late for the pebbles to vote." -- Kosh
------------------------------------------------------- This SF.net email is sponsored by: Perforce Software. Perforce is the Fast Software Configuration Management System offering advanced branching capabilities and atomic changes on 50+ platforms. Free Eval! http://www.perforce.com/perforce/loadprog.html _______________________________________________ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
