Marc Perkel wrote:
> Just a thought ....
>
> You extract the registrar barrier part of the host name and the same for
> the helo. Many hosts that send good email this would match. For example
> yahoo.com would have yahoo.com in both the host and the helo.
>
> Then after tracking these and developing a list of hosts that do this
> then we see a host that the helo claims to be yahoo.com but the rdns
> says otherwise. The idea is that if they are on the list of having
> matched then when they don't match it might be a spam indicator?
>
>
'lists' need maintenance, ELSE get stale and work against you, AND/OR
eat your lunch money to store and play with.
Modified from snippets found in archives here so long ago I don't
clearly remember who's contribution it was (Tor Slettnes?)
(line-wrap munged below, I'm sure)
====
warn
log_message = MF5 Forged Yahoo
senders = *@yahoo.com
condition = ${if match
{$sender_host_name}{\Nyahoo.com$\N}{no}{yes}}
set acl_c2 = $acl_c2 Forged Yahoo Address=100
set acl_c8 = ${eval:$acl_c8 + 100}
warn
log_message = MF5 Forged hotmail or MSN
senders = *@msn.com
condition = ${if match
{$sender_host_name}{\N(msn|hotmail).com$\N}{no}{yes}}
set acl_c2 = $acl_c2 Forged MSN Address=100
set acl_c8 = ${eval:$acl_c8 + 100}
=====
I use over a dozen of these covering the most-often-forged major operators.
HELO check is a different process, as *much* mail comes from MTA that
serve multiple domain.tld, BUT should still HELO with a valid FQDN that
can be checked, whether it matches each hosted sender's mail records or not.
The variables on WARN verbs should tell you a point scoring process is
at work here, and that not all faux pas are treated as generously or
harshly as others.
HELO to me as *my own* server gets a certain-death 1000 points, for
example. And a local blacklist hit ignores all scores in favor of a BFBI
deny....
HTH,
Bill
