Possible aid in filtering spam
Ulf Zimmermann
ulf at Alameda.net
Mon Oct 31 12:22:01 PST 2005
On Mon, Oct 31, 2005 at 08:40:33AM -0800, Ames Cornish wrote:
> On Sun, 2005-10-30 at 20:14 -0800, David Wolfskill wrote:
> > I then saw some machine say "HELO 63.192.123.122". Ummm... no sale:
> > that's *my* IP address. Added that to the filter, too.
> >
>
> David,
>
> Thanks for the tip! I just looked at my logs and I have quite a few
> spammers using my IP as the HELO. None use the host name -- hmmmm.
>
> Incidentally, I've been trying various anti-spam techniques on my
> mailserver, and collected statistics on the results. I have a
> presentation on what worked best and what didn't here:
> http://montebellopartners.com/slides/
>
> Thanks for the info!
>
> - Ames
I have started rejecting HELO using my IP a longer time ago. Then I went
actually a step further and rejecting any HELO with an IP. Much spam software
which are using comprised hosts, don't look up their hostname but just use
the IP number. As I interpret the RFC 821, HELO is to follow by the hostname
and a hostname is not an IP address. Yesterday my mail server rejected 6205
emails, 308 of those were based on HELO <IP>.
--
Regards, Ulf.
---------------------------------------------------------------------
Ulf Zimmermann, 1525 Pacific Ave., Alameda, CA-94501, #: 510-865-0204
You can find my resume at: http://seven.Alameda.net/~ulf/resume.html
More information about the Baylisa
mailing list