I've been getting spam with a forged HELO and using the same HELO string in
the X-AntiAbuse headers. Here are the relevent lines:
Received: from mailtopager.net (ACB8FA80.ipt.aol.com [172.184.250.128])
by mail.lambertfam.org (8.12.10/8.12.10/UTIL-INCH-3.0.10) with SMTP id
hBQ27Svo001799
for <[EMAIL PROTECTED]>; Thu, 25 Dec 2003 21:07:33 -0500 (EST)
(envelope-from [EMAIL PROTECTED])
X-AntiAbuse: This header was added to track abuse, please include it with any abuse
report
X-AntiAbuse: Primary Hostname - mailtopager.net
X-AntiAbuse: Original Domain - mailtopager.net
X-AntiAbuse: Originator/Caller UID/GID - [80 80] / [80 80]
X-AntiAbuse: Sender Address Domain -
I've seen 20 or more domains used, but they all match this pattern. I
am loathe to just add rules for the X-AntiAbuse lines on the assumption
that they have been copied from someone legit.
I would like to be able to match the forged HELO then use it in a
variable for the two X-AntiAbuse lines. Possible?
--
Scott Lambert KC5MLE Unix SysAdmin
[EMAIL PROTECTED]
-------------------------------------------------------
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced branching capabilities and atomic changes on 50+ platforms.
Free Eval! http://www.perforce.com/perforce/loadprog.html
_______________________________________________
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
