> > I've noticed lots of them EHLO as "ED". You could check to see if there's a
> > dot in the HELO name (pretty much all legit mail EHLOs as a FQDN or is that
> > FQHN =)
> > drop message = We do not accept mail of this kind
> > condition = ${if match{$sender_helo_name}{ED}{yes}{no}}
>
> Do you have a gernalised version of this which checks for a dot in the
> HELO name?
condition = ${if match{$sender_helo_name}{\N^[^.].*\.[^.]+$\N}{no}{yes}}
basically this says "Must contain a dot but the first and last character may
not be a dot". From expereince, this will stop all sobig.f mails.
--
Lab tests show that use of micro$oft causes cancer in lab animals
