In message <20050831203756.GA1312@???>, Wakko Warner
<wakko@???> writes
>> They'll hammer away with randomised HELOs whetever you do.
>
>I thought about recording the first seen HELO from an IP address to a
>database. If that IP connects and uses a different HELO, it gets
>blacklisted and thus useless. I have not tried it though.
This will -- in practice -- give you the wrong result with NAT, with
dynamic address space, and with anyone who runs more than one piece of
software. Some will argue that it should not, and others that you
didn't want email from such sources anyway. You may or may not choose to
believe such arguments :)
That said, I find it's an excellent heuristic for detecting problems,
but I use it as a basis for further examination of customer sending
problems, not as a reason for rejecting email. So there is no need for
it to be a perfect heuristic -- and the first paragraph of my reply
indicates the usual problems with it that I see daily....
BTW you'd need to time out entries over some sort of fairly short period
to avoid being caught out by ISPs renaming their cluster machines... :)
- --
richard Richard Clayton
They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety. Benjamin Franklin
