You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by Fred T <sp...@freddyt.com> on 2006/12/07 17:01:49 UTC

Re[2]: Spamassassin doesn't ding sender for saying "HELO i-am-you"

Hello Justin,

Thursday, December 7, 2006, 10:11:45 AM, you wrote:

> yeah -- there are any number of ways to do this, if requiring admin
> configuration is OK -- I'm asking for ways we can automatically
> figure it out from SpamAssassin code, without help. ;)

As someone else pointed out, the best bet might be the use of a new
config item / plugin.  something like:

ifplugin mxhelo
mx_helo_name  mx.host.tld host.tld d.d.d.d
header    HELO_AS_ME      eval:check_for_my_mx()
score     HELO_AS_ME      0.1
endif

I'll create a ticket for enhancement.


-- 
Best regards,
 Fred                            mailto:spamassassin@freddyt.com

Re: Spamassassin doesn't ding sender for saying "HELO i-am-you"

Posted by Matthias Leisi <ma...@leisi.net>.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



Fred T wrote:

> As someone else pointed out, the best bet might be the use of a new
> config item / plugin.  something like:
> 
> ifplugin mxhelo
> mx_helo_name  mx.host.tld host.tld d.d.d.d
> header    HELO_AS_ME      eval:check_for_my_mx()
> score     HELO_AS_ME      0.1
> endif

Remember to include some of the more obscure cases I've seen in the past
where spams were HELOing with the name or IP address of one of the other
MXes, ie

example.com mail is handled by 10 mx1.example.net
example.com mail is handled by 20 mx2.example.net

And then the spammer does:

| connect() to mx2.example.net
| HELO mx1.example.net

or

| connect() to mx2.example.net
| HELO i.p.a.d.r-of-mx1

or

| connect() to any of the MXes
| HELO example.net (or example.com)

I have cases where a machine legitimately HELOs as "myself"; in my
situation these cases are covered by trusted_networks or
internal_networks. Maybe eval:check_for_my_mx() should consider these
networks (or skip it's tests altogether if the connection came from one
of these networks); it may also need an actual exception list
('allowed_helo_as_myself').

- -- Matthias

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org

iD8DBQFFeRuWxbHw2nyi/okRAgopAJ9IjfxBqJOrgqYahlGmBtz6tAHkxACfUbGK
ZlM/DipK/IaZRvIl/aJiD/Q=
=xJ52
-----END PGP SIGNATURE-----