false positive?

Tim Tyler tyler at beloit.edu
Tue Aug 12 21:02:00 IST 2003


Matt,
  Yes, but what about when sites use the same hostname as their domain name?
For instance, we have beloit.edu as our domain while also using beloit.edu
as our hostname for our faculty/staff smtp server.  Its not totally clear to
me why it should be assumed that the lack of a hostname extension is
necessarily a violation of any welcome rules.  But since it might indicate
an issue, it seems to me that it might be prudent to lower its weighted
value given the number of false positives this issue seems to create.
  Can I lower the weighted value for this variable myself?
Tim

>
>At 09:55 AM 8/12/2003 -0500, Tim Tyler wrote:
>>The bulk of the score relates to rcvd_fake_helo_dotcom.   Can anyone tell
>>me what that means and why it might occur on a legitimate message?  I
>>believe the message was sent from a service in Morocco for whatever that is
>>worth.
>
>These rules attempt to detect messages where someone issues a HELO as
>"yahoo.com" or similar popular ISP, without any kind of host name. For
>example since yahoo always helo's as " web####.mail.yahoo.com " or
>something similar, and never as "yahoo.com" anyone issuing that hello is
>either attempting to deceive you, or misconfigured.
>
>Here's a copy of the rule for FAKE_HELO_DOTCOM:
>
>20_head_tests.cf:header RCVD_FAKE_HELO_DOTCOM    Received =~ /^from
>(?:msn|yahoo|you
>rwebsite|lycos|excite|cs|aol|localhost|koreanmail|allexecs|mydomain|juno|eudoramail|
>compuserve|desertmail|excite|caramail)\.com \(/m
>
>It sounds like the Moroccan service is misconfigured. Check the Received
>headers.
>


--
Tim Tyler
Network Manager - Beloit College
tyler at beloit.edu



More information about the MailScanner mailing list