| > > drop message = We do not accept mail of this kind
| > > condition = ${if match{$sender_helo_name}{ED}{yes}{no}}
As I'm sure is clear, this is simply one infected PC that HELOs as `ED'.
Its probably the windoze hostname or similar. You might as well block its IP.
| condition = ${if match{$sender_helo_name}{\N^[^.].*\.[^.]+$\N}{no}{yes}}
Good stuff.
Sadly we have quite a lot of PCs on campus that HELO this way.
But blocking external mails looks like a go-er.
| basically this says "Must contain a dot but the first and last character may
| not be a dot". From expereince, this will stop all sobig.f mails.
Unless they've been relayed by some MTA
( where you get that MTA's HELO string )
--
Chris Edwards, Glasgow University Computing Service
