> -----Original Message----- > From: Jim Maul [mailto:[EMAIL PROTECTED] > Sent: donderdag 2 november 2006 19:58 > To: users@spamassassin.apache.org > Subject: Re: BIG increase in spam today > > > > > 92% (!) of all incoming spam uses an invalid HELO. > > > > 9% pretends to be me in their HELO. > > > > Is this 9% included in the above 'invalid HELO' number?
Yes. I should have been more clear about that. 92% fails the HELO tests, for one reason or another. Of those 92%, 9% are HELOs pretending to be me (either my primary domain, or the domains I host, or address literals pretending to be me). The 8% that fails the PTR != HELO country TLD is also included in the 92%. The rest of the invalid HELOs are just non-FQDNSs (like "HELO friend"), or IP addresses (not inside braces, like an address literal). Then there's a complex HELO category I mark, to counter spam bursts, based on sequence heuristics within a very short time-frame, like: Nov 2 18:23:43 asarian-host sendmail[6152]: kA2HNhKN006152: <-- EHLO MATTHIAS.uuuiguu.net Nov 2 18:23:46 asarian-host sendmail[6155]: kA2HNkDE006155: <-- EHLO MATTHIAS.me1n93.net Nov 2 18:23:50 asarian-host sendmail[6161]: kA2HNo6N006161: <-- EHLO MATTHIAS (where the third-level TLD, in caps, is the basis for the group as a total). I'm still experimenting with it (not actually blocking on it yet); but the number of FPs is zero so far (running for several weeks). Seriously, HELO tests rock! - Mark
