Re: [Exim] forged HELO/EHLO addresses

Top Page
Delete this message
Reply to this message
Author: Suresh Ramasubramanian
Date:  
To: David Saez
CC: Alan J. Flavell, Exim Users Mailing List
Subject: Re: [Exim] forged HELO/EHLO addresses
David Saez writes on 11/16/2003 12:22 PM:

> We have also being rejecting based on helo with almost no false
> positives and now it produces about 50% of rejections, one simple
> helo rule will catch lots of viruses that rewrite the infected
> windows computer name and use it as the helo:


That is, the netbios name of the infected computer?

Yes, you could use non fqdn HELOs as something that gets a relatively
high spamassasin score, but what you are going to get is a lot of
collateral damage.

A lot of the trojans helo as your own domain or IP though... those are
easier to block.

    srs