new s.pam getting through

Steve Thomas lists at STHOMAS.NET
Wed Nov 12 22:32:34 GMT 2003


On Wed, Nov 12, 2003 at 02:07:43PM -0800, Ken Anderson is rumored to have said:
>
> Thanks, fwiw, I'm also seeing "Hel-Tracking" header.
>

One other thing that I've noticed about these spams is that they're always using a SMTP HELO argument of the domain name they're spamming. So the (simplified) SMTP transaction looks kind of like this:

--> HELO victim.com
<-- 250 mail.victim.com
--> MAIL FROM: victim at victim.com
<-- 250 OK
--> RCPT TO: victim at victim.com
<-- 250 OK
--> DATA
...


The thing is (in our case anyway), none of our mail servers answer as "ourdomain.tld"; they all have an actual hostname. What I did was create a rule looking for a Received: header with "helo=ourdomain.tld" and assigned a massive number of points to it to overcomethe AWL adjustment for having *@ourdomain.tld whitelisted. It caught my test messages properly - I'll see how it works on real-world mail...


--
"Hell is a half-filled auditorium."
- Robert Frost (1874-1963)



More information about the MailScanner mailing list