Jim Schueler wrote:
My users have been getting particularly insidious emails containing a
windows virus that purports to come from the system administrator.
[snip]
I would expect this test would be part of the distributed SpamAssassin
configuration files. Can anybody recommend an approach other than
reinventing the wheel?
I'm fairly certain SA has some stock rules that deal with HELO forgery,
but since I'm not totally familier with them, I'll let others speak to that.
What I can suggest is that you put an AV scanner in your mail path. I'm
partial to calling ClamAV from Exim, where I can do SMTP-time rejects of
viruses. Depending on your MTA, you may also be able to do some of
these HELO checks during the SMTP session.
FWIW, I've seen many legitimate sites present incorrect or even invalid
HELO data. Particularly Windows sites behind NAT boxes, or small sites
using low-cost broadband where setting up rDNS is impossible.
- S
- Re: Fw: SpamAssassin assistance Steven Dickenson
-
