> I'm catching them with bad TZ date headers and a check for pif and scr
> attachments. Where I am at, I've got too much real mail arriving with bad
> Helo's so for right now, I am simply marking them in the logs so later I can
> do a survey to look at the stituation longer.
>
> warn log_message = BROKEN HELO/EHLO: Hello doesn't look like a
> hostname ($sender_helo_name)
> # drop message = BROKEN HELO/EHLO: Hello doesn't look like a
> hostname ($sender_helo_name)
> condition = ${if match{$sender_helo_name} \
> {\N^[^.].*\.[^.]+$\N} \
> {no}{yes} \
> }
>
> 2003-08-27 09:10:07 H=[212.145.142.47] Warning: BROKEN HELO/EHLO: Hello
> doesn't look like a hostname (slanvwy)
That's more likely a spam. Every occurence of sobig I've seen have the HELO
in all caps. a check for ^[A-Z0-9_-]+$ should catch sobig but not outlook
(as I've seen with outlook2000). Outlook2000 helos in all lowercase.
--
Lab tests show that use of micro$oft causes cancer in lab animals
