Glenn, I look up the HELO strings in the LOG*.TXT files. Most of the time you can match on "IS" for the IP address, instead of CONTAINS, but it does depend on the string. Some of the ones trying to relay thru us recently is "http://monoin.com", another is www.xyz34.uk.co.sg. So, it depends on what you see them trying to use. The mailfrom field may or may not be related to the HELO field. In yesterday's log, I see:
20030710 022238 127.0.0.1 SMTPD (08DE0134) [207.229.190.23] EHLO cliff.bigcitytools.com 20030710 022239 127.0.0.1 SMTPD (08DE0134) [207.229.190.23] MAIL FROM:<[EMAIL PROTECTED]> and 20030710 043322 127.0.0.1 SMTPD (0AFA0138) [211.218.205.189] HELO http://monoin.com 20030710 043323 127.0.0.1 SMTPD (0AFA0138) [211.218.205.189] MAIL FROM:<[EMAIL PROTECTED]> and 20030710 070555 127.0.0.1 SMTPD (032A0150) [218.70.150.101] EHLO www.xyz34.uk.co.sg 20030710 070556 127.0.0.1 SMTPD (032A0150) [218.70.150.101] MAIL FROM:<[EMAIL PROTECTED]> These were just some of the relay attempts yesterday (and monoin.com wins the persistency race for the day, with the most connects and attempts). For big spammers, first locate the message ID in the headers or DEC*.TXT log, then use the LOG*.TXT log to find the HELO (if you don't include it in your headers). More than likely, just dropping those whitelist entries will have resolved most of your problems. Karen > -----Original Message----- > From: Glenn Brooks > > One other question: > > When adding a line to the domain list, what/when is the correct method of > adding a "." before a domain, for example: > > HELO 20 CONTAINS .gstassoc.com --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.