-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Fred T wrote:
> As someone else pointed out, the best bet might be the use of a new
> config item / plugin. something like:
>
> ifplugin mxhelo
> mx_helo_name mx.host.tld host.tld d.d.d.d
> header HELO_AS_ME eval:check_for_my_mx()
> score HELO_AS_ME 0.1
> endif
Remember to include some of the more obscure cases I've seen in the past
where spams were HELOing with the name or IP address of one of the other
MXes, ie
example.com mail is handled by 10 mx1.example.net
example.com mail is handled by 20 mx2.example.net
And then the spammer does:
| connect() to mx2.example.net
| HELO mx1.example.net
or
| connect() to mx2.example.net
| HELO i.p.a.d.r-of-mx1
or
| connect() to any of the MXes
| HELO example.net (or example.com)
I have cases where a machine legitimately HELOs as "myself"; in my
situation these cases are covered by trusted_networks or
internal_networks. Maybe eval:check_for_my_mx() should consider these
networks (or skip it's tests altogether if the connection came from one
of these networks); it may also need an actual exception list
('allowed_helo_as_myself').
- -- Matthias
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org
iD8DBQFFeRuWxbHw2nyi/okRAgopAJ9IjfxBqJOrgqYahlGmBtz6tAHkxACfUbGK
ZlM/DipK/IaZRvIl/aJiD/Q=
=xJ52
-----END PGP SIGNATURE-----
