On Wednesday 28 September 2005 11:14, Tony Finch wrote: >
>
>>There are plenty of other things that turn up in HELO hostnames which
>>*are* an accurate indicator of evil behaviour.
Adam Funk wrote: >
> I have to ask: what do the malefactors expect to accomplish by sending
> helo strings that violate such tests (which I think are well-known)?
Adding these HELO checks to my ACLs has been on my todo list for a
while. This thread got me interested in them again, so I did a quick
search of my mainlog to find how many messages I was getting from hosts
saying HELO as projectile.ca.
So out of 9408 HELO entries in my logs, 29 were bogus projectile.ca
hosts, and of those, only 2 made it as far as the DATA acl to get a
message ID assigned. The other 27 were mostly rejected by recipient or
sender verification (without callouts) in the RCPT acl. The 2 that made
it to the DATA acl were both promptly rejected by clamav; none were
actually scanned by spamassassin, or delivered.
So I guess I don't need to rush to add HELO checks to my acls, after all.
