Why do Spambot HELO Signatures appear to be random characters?

[Jim Hermann - UUN Hostmaster <ho...@uuism.net>]

In some other work that I was doing, I ran across this information:

BTW, Notice that the HELO signatures have an identifying characteristic:
randomness

Could we use the HELO randomness to identify the source as a Spambot?

Here are the kind of HELO Signatures my favorite Spambot produces:
(always lower case, always one period, never a .tld)

ljxr.pzt 
mclbfk.wdui 
zsgnwd.zctjrq 
tmoju.zxlvfn 
sq.ywima 
sejah.nehj 
btm.ssp
yo.iszxuj
nbk.ynjt
xannm.fvk
eh.jid
wrbfp.ys
phoxps.kwsyps
blhw.vrc
wy.srr
yrw.nhzs
ublf.yljnb
ng.frx
jx.attq
ltnc.cjkpal
qvketg.aoly
gc.fesng

Another type of Spambot HELO Signature:
(no period)

ggav 
monmib 
tudf
iwmkw
jjwd
dtwr
ugotbw
famxsl
fdcqqf
jidejv

-----
Jim Hermann <ho...@UUism.net>
UUism Networks <http://www.UUism.net>
Ministering to the Needs of Online UUs
Web Hosting, Email Services, Mailing Lists
-----

Re: Why do Spambot HELO Signatures appear to be random characters?

[Benny Pedersen <me...@junc.org>]

> BTW, Notice that the HELO signatures have an identifying characteristic:
> randomness

http://policyd.sf.net/ find # HELO Randomization Prevention (HRP) in the readme

> Could we use the HELO randomness to identify the source as a Spambot?

postfix can reject it with out any patches to it

Re: Why do Spambot HELO Signatures appear to be random characters?

[Loren Wilton <lw...@earthlink.net>]

> Here are the kind of HELO Signatures my favorite Spambot produces:
> (always lower case, always one period, never a .tld)
>
> ljxr.pzt
> mclbfk.wdui
> zsgnwd.zctjrq

Hum.  Weren't there some rulesets predating SARE that checked for odd letter
combinations of various kinds in the mail body?  Triplets and the like?

I think most of those have gone unused in the last year or so since they
started getting FPs.  But I wonder about resurecting some of them
specifically for scanning this sort of thing.

        Loren