I should have been more specific in my original request. The stock rule to detect HELO forgery is exactly what I'm looking for.
-Jim On Mon, 13 Jun 2005 13:53:40 -0400, Steven Dickenson wrote > Jim Schueler wrote: > > My users have been getting particularly insidious emails containing a > > windows virus that purports to come from the system administrator. > > [snip] > > > I would expect this test would be part of the distributed SpamAssassin > > configuration files. Can anybody recommend an approach other than > > reinventing the wheel? > > I'm fairly certain SA has some stock rules that deal with HELO > forgery, but since I'm not totally familier with them, I'll let > others speak to that. > > What I can suggest is that you put an AV scanner in your mail path. > I'm partial to calling ClamAV from Exim, where I can do SMTP-time > rejects of viruses. Depending on your MTA, you may also be able to > do some of these HELO checks during the SMTP session. > > FWIW, I've seen many legitimate sites present incorrect or even > invalid HELO data. Particularly Windows sites behind NAT boxes, or > small sites using low-cost broadband where setting up rDNS is impossible. > > - S -- Open WebMail Project (http://openwebmail.org)
