Forged is when the sending mail server is claiming to be your mail server, so it would send a HELO with your IP address or domain name. There may be other things that this can be also but that's the one I see most often.
A suspicious HELO is when the sending mail server is sending localhost in its helo string or something that doesn't conform to the RFC's (a hostname rather than a FQDN for example) Basically forged HELO's are known to be malicious and suspicious HELO's are usually just scored since they could be the result of a poorly configured but real SMTP server or they could be from a spam bot > -----Original Message----- > From: Hisham [mailto:[email protected]] > Sent: Tuesday, 31 March 2009 9:33 p.m. > To: For Users of ASSP > Subject: [Assp-user] Suspicious HELO > > What is the deference between (Suspicious HELO) and (ForgedHELO). > What measures does ASSP takes to distinguish between both ? > > > Mar-30-09 05:27:27 80047-10811 118.167.134.32 <[email protected]> > MessageScore is now 5, after adding 5 (Suspicious HELO - con > tains IP: '193.188.97.210') > > > Mar-30-09 12:38:30 05910-11714 [ForgedHELO] 168.187.179.123 > <[email protected]> [spam found] (forced: forged Helo: 'xxxxx.com. > bh') > > > Thanks in Advance. > Hisham > > ----------------------------------------------------------------------- > ------- > _______________________________________________ > Assp-user mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/assp-user ------------------------------------------------------------------------------ _______________________________________________ Assp-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/assp-user
