Re: Spamassassin doesn't ding sender for saying "HELO i-am-you"

[Justin Mason <jm...@jmason.org>]

Kelly Jones writes:
> Spamassassin has lots of tests for fake HELOs. If someone says "HELO
> hotmail.com", but aren't connecting from a Hotmail IP address, they
> get dinged (spam score is increased).
> 
> Recently, someone connected our server, call it mx.xyz.com, and said
> "HELO mx.xyz.com". Spamassassin didn't ding it for doing this.
> 
> Is there a ruleset that does this? I realize xyz.com couldn't be
> hardcoded (otherwise, it'd be a different ruleset for everyone), but
> is there a generic ruleset that uses a function call or something to
> figure out your MX server (or the name of the machine spamassassin is
> running on) and then ding someone HELO'ing as that?

This is a great spam-sign alright, but I don't know of a way to detect
what the local site's HELO is, bar each site writing their own rules to do
so.

Bayes does a good job of figuring this out, btw.

Any suggestions?

--j.

Re: Spamassassin doesn't ding sender for saying "HELO i-am-you"

[Alan Munday <sp...@brightheadtechnology.com>]

Justin Mason wrote the following on 07/12/2006 13:21:
> 
> This is a great spam-sign alright, but I don't know of a way to detect
> what the local site's HELO is, bar each site writing their own rules to do
> so.
> 
> Bayes does a good job of figuring this out, btw.
> 
> Any suggestions?

A script that telnets into the mail system to discover helo name and the associated IP?

Then it can write a system specific rule.

Alan

Re: Spamassassin doesn't ding sender for saying "HELO i-am-you"

[Matthias Leisi <ma...@leisi.net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



Fred T wrote:

> As someone else pointed out, the best bet might be the use of a new
> config item / plugin.  something like:
> 
> ifplugin mxhelo
> mx_helo_name  mx.host.tld host.tld d.d.d.d
> header    HELO_AS_ME      eval:check_for_my_mx()
> score     HELO_AS_ME      0.1
> endif

Remember to include some of the more obscure cases I've seen in the past
where spams were HELOing with the name or IP address of one of the other
MXes, ie

example.com mail is handled by 10 mx1.example.net
example.com mail is handled by 20 mx2.example.net

And then the spammer does:

| connect() to mx2.example.net
| HELO mx1.example.net

or

| connect() to mx2.example.net
| HELO i.p.a.d.r-of-mx1

or

| connect() to any of the MXes
| HELO example.net (or example.com)

I have cases where a machine legitimately HELOs as "myself"; in my
situation these cases are covered by trusted_networks or
internal_networks. Maybe eval:check_for_my_mx() should consider these
networks (or skip it's tests altogether if the connection came from one
of these networks); it may also need an actual exception list
('allowed_helo_as_myself').

- -- Matthias

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org

iD8DBQFFeRuWxbHw2nyi/okRAgopAJ9IjfxBqJOrgqYahlGmBtz6tAHkxACfUbGK
ZlM/DipK/IaZRvIl/aJiD/Q=
=xJ52
-----END PGP SIGNATURE-----

Re[2]: Spamassassin doesn't ding sender for saying "HELO i-am-you"

[Fred T <sp...@freddyt.com>]

Hello Justin,

Thursday, December 7, 2006, 10:11:45 AM, you wrote:

> yeah -- there are any number of ways to do this, if requiring admin
> configuration is OK -- I'm asking for ways we can automatically
> figure it out from SpamAssassin code, without help. ;)

As someone else pointed out, the best bet might be the use of a new
config item / plugin.  something like:

ifplugin mxhelo
mx_helo_name  mx.host.tld host.tld d.d.d.d
header    HELO_AS_ME      eval:check_for_my_mx()
score     HELO_AS_ME      0.1
endif

I'll create a ticket for enhancement.


-- 
Best regards,
 Fred                            mailto:spamassassin@freddyt.com

Re: Spamassassin doesn't ding sender for saying "HELO i-am-you"

["Jack L. Stone" <ja...@sage-american.com>]

On 7 Dec 2006 at 13:21, Justin Mason wrote:

> 
> Kelly Jones writes:
> > Spamassassin has lots of tests for fake HELOs. If someone says
> > "HELO hotmail.com", but aren't connecting from a Hotmail IP
> > address, they get dinged (spam score is increased).
> > 
> > Recently, someone connected our server, call it mx.xyz.com, and
> > said "HELO mx.xyz.com". Spamassassin didn't ding it for doing
> > this.
> > 
> > Is there a ruleset that does this? I realize xyz.com couldn't
> > be hardcoded (otherwise, it'd be a different ruleset for
> > everyone), but is there a generic ruleset that uses a function
> > call or something to figure out your MX server (or the name of
> > the machine spamassassin is running on) and then ding someone
> > HELO'ing as that?
> 
> This is a great spam-sign alright, but I don't know of a way to
> detect what the local site's HELO is, bar each site writing their
> own rules to do so.
> 
> Bayes does a good job of figuring this out, btw.
> 
> Any suggestions?
> 
> --j.
> 

I use milter-regex as the frontline wall and this regex for 
catching fakers:

## HELO faking my own IP address
tempfail "Malformed HELO (can't be me)"
helo /^70\.86\.37\.82$/

HTH.....




Regards,
Jack L. Stone
System Admin