If there is no possibility of this sort of thing happening, then ENDSWITH would be easier, absolutely, but the more precise, the less chance for an FP, and I haven't seen any examples where the spammer will forge your domain in HELO with a sub-domain in front of it (though I'm sure that is possible).
FYI for others, this is a discussion related to the attached filter that hasn't been published except on this list. I have very good results with this as well as another one that scores E-mails reporting themselves to be named with your IP addresses in HELO (customize for your own domains) which is clearly spam.
Matt
John Tolmachoff (Lists) wrote:
Wouldn't it be better to use ENDSWITH rather than IS?
Example, if the office domain is mail.123domain.com, IS would not catch a HELO of 123domain.com.
John Tolmachoff
Engineer/Consultant/Owner
eServices For You
# FORGEDHELO-FQDN
# Last Update: 09/23/2003
#
# Description:
# This filter is designed to detect senders that forge the Fully Qualified Domain Name
(FQDN) in
# use on the mail server.
#
# Usage:
# Based on a fail weight of 10.
#
# -----Global.cfg-----
# FORGEDHELO-FQDN filter C:\IMail\Declude\ForgedHELO-FQDN.txt
x 7 0
#
# False Positives:
# Scoring false positives will primarily come from hardware or software with built-in
SMTP
# capabilities for sending automated notifications which are configured either by
default
# or by configuration to use the name of the mail host. Mail clients on computers
using
# the FQDN of the mail server as their computer name can also produce false positives.# Counterbalances: # Negative weighting is applied for Netscape and Mozilla mail clients which use the domain name # listed in the From address. Counterbalancing is not necessary if all local users are # configured to use SMTP AUTH, and Declude is configured for WHITELIST AUTH (v1.76+) in # combinationwith IMail 8+. # # Test Exclusions: # Messages containing the Netscape/Mozilla marker in the headers. HEADERS -7 CONTAINS mozilla # Filter Matches: # Looks for FQDN's configured on the server. Domains should be listed as they appear in E-mail # addresses as well as how they appear in MX records. Explicit matching (IS) should be used in # order to prevent false positives. # # A good tool for generating a list of domains that you serve is ExtractUsers which is found at # http://dev.myownemail.com/Imail/ExtractUsers.htm , placed in c:\extractusers\ directory, and # run from the command line with "c:\extractUsers\extractUsers.exe -f c:\extractusers". This will # output a file called Domains.txt among other things which can be used to create a list of # domains for use in this filter. #HELO 0 IS example.com #HELO 0 IS mail.example.com
# FORGEDHELO-IP # Last Update: 09/23/2003 # # Description: # This filter is designed to detect senders that forge the receiving mail server's IP in # the HELO as the name of the sending server. There are no valid reasons to forge a local # IP, and therefore this test should be scored for automatic rejection. # # Usage: # Based on a fail weight of 10. # # -----Global.cfg----- # FORGEDHELO-IP filter C:\IMail\Declude\ForgedHELO-IP.txt x 15 0 # # False Positives: # Intra-network software configured improperly to use the IP as the hostname in HELO. Dimac # JMail and MIME::Lite have shown this behavior. # Counterbalances: # Negative weighting is applied for intra-network devices, software or Web sites that by # default use or are configured to use an IP in a ranges defined in this filter. # # Test Exclusions: # None by default. #HELO -15 CONTAINS x.x.x.x # Filter Matches: # IP addresses that are configured for use on the mail server. CIDR ranges may not be used # as this filter is designed to detect text strings and not actual addresses. Class C ranges # can be specified by leaving off the trailing octet. The reserved localhost address is also # included. #HELO 0 CONTAINS x.x.x. (whole Class C) #HELO 0 CONTAINS x.x.x.x (single addresses)
