> From: "Hill Ruyter"
> I am getting a lot of mail recently that is passing my HELO tests and
> callouts
> but it has clear fakery that I could test for if I knew how
That's not the only suspicious sign. I don't get such spam
(with different From and envelope-from) thanks other tests.
But I get messages I need with my email address in From and different
envelope-from.
> Received: from [74.72.203.118] (helo=cpe-74-72-200-118.nyc.res.rr.com)
Here $sender_hostname is empty because cpe-74-72-200-118.nyc.res.rr.com
resolves to 74.72.200.118, not 74.72.203.118.
Besides, the "74-72-200-118" part of $sender_helo_name also is suspicions
(looks like a dynamic IP-address).
Both these suspictions in my opinion don't warrant outright "deny"
(because that's fraught with false positives), but in such cases I
greylist which works in practice, even without callouts.
I attached parts of my config (performing these checks among others) to
http://wiki.exim.org/DbLessGreyListingRun
That greylisting implementation is very simple, without SQL and such,
just create a directory and a cronjob, use the attached config snippets
and it works. Ham (messages I need) are not delayed because I greylist
only suspicious messages.