Author: Alan J. Flavell Date: To: Exim-Users (E-mail) Subject: Re: [Exim] Log info
On Wed, 29 Oct 2003, Peter Bowyer wrote:
> The H=() part is what the sending server sent in the HELO - a common spammer
> trick to try to bypass some checking your end is to HELO with either your
> host name, your domain name or your server IP.
Indeed.
> None of which actually defeat
> any checking that I know of - in fact, many use this as a positive
> indication of spam,
We've been refusing when they present our own IP address in their HELO
for quite some time: it eliminates a fair bit of spam at a low
processing cost. Recently added the local domain to the recipe -
results are good - that recipe is rejecting a somewhat larger amount
of spam, over and above what the IP address recipe was rejecting.
Syntax errors in the presented domain also keep out a modest amount
(and bring occasional complaints from misguided MTAs that like to put
underscores in there).
> and drop the mail in the HELO acl.
OK, I'm told that's pretty harmless nowadays, but from earlier
experiences of MTAs that went demented when sent 5xx in response to
HELO, we got into the habit of postponing the actual refusals till the
RCPT stage - and that approach also has the benefit that
bone-fide-but-misguided senders still get a chance to reach the
postmaster address, since we let that address through before applying
the HELO tests (and most of the other anti-spam controls).