false positive?
Matt Kettler
mkettler at EVI-INC.COM
Tue Aug 12 20:06:11 IST 2003
At 09:55 AM 8/12/2003 -0500, Tim Tyler wrote:
>The bulk of the score relates to rcvd_fake_helo_dotcom. Can anyone tell
>me what that means and why it might occur on a legitimate message? I
>believe the message was sent from a service in Morocco for whatever that is
>worth.
These rules attempt to detect messages where someone issues a HELO as
"yahoo.com" or similar popular ISP, without any kind of host name. For
example since yahoo always helo's as " web####.mail.yahoo.com " or
something similar, and never as "yahoo.com" anyone issuing that hello is
either attempting to deceive you, or misconfigured.
Here's a copy of the rule for FAKE_HELO_DOTCOM:
20_head_tests.cf:header RCVD_FAKE_HELO_DOTCOM Received =~ /^from
(?:msn|yahoo|you
rwebsite|lycos|excite|cs|aol|localhost|koreanmail|allexecs|mydomain|juno|eudoramail|
compuserve|desertmail|excite|caramail)\.com \(/m
It sounds like the Moroccan service is misconfigured. Check the Received
headers.
More information about the MailScanner
mailing list