Byteplant Forum

Home » CleanMail Support » CleanMail Server Talk » HELO domain (reject?)
HELO domain (reject?) [message #971] Tue, 21 December 2004 18:39
Patrick Buresh
Messages: 1
Registered: December 2004
Junior Member
I'm having a bit of trouble with the Reject by HELO domain feature.
We constantly get spam from multiple IP addresses which appear to claim to be from a machine calling itself 64.69.111.211.
(i.e. Received: from 64.69.111.211 ([207.69.35.247])).
I assumed by placing 64.69.111.211 in the "Reject by HELO domain" list, that it would block these messages, but it does not.
Do I not understand how this lists works?
We also get many spam messages where the sending servers' name ends in a country designator such as .jp for Japan.
(I.e. Received: from smtp.email.spamalot.jp ([209.114.7.1]) or mail.greatoffers.com.jp ([66.54.92.44])).
If I enter *.jp in the domain list, it appears to do nothing as well. I thought that the wildcard * would include any domain prefix as long as it ended with .jp ?

Can anyone offer any suggestions?

Thanks.



Post Edited (12-21-04 18:41)
Re: HELO domain (reject?) [message #972 is a reply to message #971] Thu, 23 December 2004 14:19 Go to previous message
support
Messages: 918
Registered: April 2004
Senior Member
> I'm having a bit of trouble with the Reject by HELO domain
> feature.
> We constantly get spam from multiple IP addresses which
> appear to claim to be from a machine calling itself
> 64.69.111.211.
> (i.e. Received: from 64.69.111.211 ([207.69.35.247])).
> I assumed by placing 64.69.111.211 in the "Reject by HELO
> domain" list, that it would block these messages, but it does
> not.
> Do I not understand how this lists works?

NoSpamToday! puts the HELO name into the Received header, so you are right, it should have been working. But are you sure this is the Received header added by NoSpamToday?

Another sure way to find the HELO name is to enable detailed logging, and to look for the parameter of the HELO or EHLO commands used by the sending mail server in the log.

> We also get many spam messages where the sending servers'
> name ends in a country designator such as .jp for Japan.
> (I.e. Received: from smtp.email.spamalot.jp ([209.114.7.1])
> or mail.greatoffers.com.jp ([66.54.92.44])).
> If I enter *.jp in the domain list, it appears to do nothing
> as well. I thought that the wildcard * would include any domain
> prefix as long as it ended with .jp ?

Yes, but again only the HELO name used in the SMTP session counts, so I suppose the .jp header is either faked or was added by an earlier mail relay.

You can add the following rule to local.cf to filter all mails relayed by a *.jp server:

header RELAYED_JAPAN received =~ /.*\.jp/i
describe RELAYED_JAPAN Mail was relayed by some Japanese server
score RELAYED_JAPAN 5.0



Post Edited (12-23-04 14:28)


Customer Support
Byteplant GmbH
Previous Topic: Change you change the header message?
Next Topic: Spam trap suggestion?
Goto Forum:
  


Current Time: Thu Sep 29 06:55:44 CEST 2016