Chris Edwards wrote:
> | > > drop message = We do not accept mail of this kind
> | > > condition = ${if match{$sender_helo_name}{ED}{yes}{no}}
>
> As I'm sure is clear, this is simply one infected PC that HELOs as `ED'.
> Its probably the windoze hostname or similar. You might as well block its IP.
Here's the list of HELOs I've seen (out of about 160 virus mails):
ED
L-308
BOBS
RNPC47
YOUR-US67PI6LUV
LR
SE-VASQUEZ
It's kept the payload down.
> | condition = ${if match{$sender_helo_name}{\N^[^.].*\.[^.]+$\N}{no}{yes}}
>
> Good stuff.
Thanks =)
> Sadly we have quite a lot of PCs on campus that HELO this way.
I use this on my personal server. I can't at work because it can block
enough legit to not be useful.
> But blocking external mails looks like a go-er.
Definately =)
> | basically this says "Must contain a dot but the first and last character may
> | not be a dot". From expereince, this will stop all sobig.f mails.
>
> Unless they've been relayed by some MTA
>
> ( where you get that MTA's HELO string )
True, but if the virus has it's own MTA and doesn't helo with a FDQN, It'll
get caught. Spammers do this sometimes too. My backup MX also does the
same acl checks that my primary does.
--
Lab tests show that use of micro$oft causes cancer in lab animals
