I posted a bug, you can discuss here and I guess vote or discuss on
bugzilla:
Way too many people are using .lan (local area network) as their
internal, local lan.
I agree if FIRST untrusted does a 'helo *.lan' you should score it high,
but if they have an internal server that does a helo *.lan to their
external (bastian or smart host) and it uses a valid FQDN, you should
not score it so high.
header HELO_LH_HOME X-Spam-Relays-Untrusted =~ /^[^\]]+
helo=\S+\.(?:home|lan) /i
3.714 points is pretty high.
score HELO_LH_HOME 2.602 3.169 2.689 3.714
in this case client used the 'default' FQDN on their exchange server
(yes, stupid, not RFC compliant) they have a real FQDN that matches
their ip, but for some reason, microsoft does not make it abundantly
clear how important the FQDN setting in exchange is.
Score a little lower, or maybe score *.lan and *.home a little different
split it into two rules.
--
Michael Scheidell, CTO
Phone: 561-999-5000, x 1259
> *| *SECNAP Network Security Corporation
* Certified SNORT Integrator
* 2008-9 Hot Company Award Winner, World Executive Alliance
* Five-Star Partner Program 2009, VARBusiness
* Best Anti-Spam Product 2008, Network Products Guide
* King of Spam Filters, SC Magazine 2008
_________________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(r).
For Information please see http://www.secnap.com/products/spammertrap/
_________________________________________________________________________
