From: "Mark" <[EMAIL PROTECTED]>
From: Jim Maul [mailto:[EMAIL PROTECTED]
> 92% (!) of all incoming spam uses an invalid HELO.
>
> 9% pretends to be me in their HELO.
>
Is this 9% included in the above 'invalid HELO' number?
Yes. I should have been more clear about that. 92% fails the HELO tests,
for one reason or another. Of those 92%, 9% are HELOs pretending to be me
(either my primary domain, or the domains I host, or address literals
pretending to be me). The 8% that fails the PTR != HELO country TLD is
also included in the 92%.
The rest of the invalid HELOs are just non-FQDNSs (like "HELO friend"), or
IP addresses (not inside braces, like an address literal).
Then there's a complex HELO category I mark, to counter spam bursts, based
on sequence heuristics within a very short time-frame, like:
Nov 2 18:23:43 asarian-host sendmail[6152]: kA2HNhKN006152: <-- EHLO
MATTHIAS.uuuiguu.net
Nov 2 18:23:46 asarian-host sendmail[6155]: kA2HNkDE006155: <-- EHLO
MATTHIAS.me1n93.net
Nov 2 18:23:50 asarian-host sendmail[6161]: kA2HNo6N006161: <-- EHLO
MATTHIAS
(where the third-level TLD, in caps, is the basis for the group as a
total). I'm still experimenting with it (not actually blocking on it yet);
but the number of FPs is zero so far (running for several weeks).
Seriously, HELO tests rock!
That still leaves that 83% dangling out in the breeze giving you a
-75% ham amount.
{^_-}
