Personally I think you're jumping the gun in dropping check_spamhelo. At what point does the SA plugin kick in? If memory serves, it's after you've sucked their spammy DATA down the pipe and your resources have already been wasted. Using the check_spamhelo plugin you get to kick them out before they have a chance to use up your downstream with their fraudulent bits.
Regardless of when you decide to check the HELO message, the first match you should kick out is your own IP number. I get plenty of people trying to call themselves me. Next in my list is my own domain name since my mail host (even tho it is the root of my domain) is ns.they.org and always says HELO as such, not as just "they.org". You may also want to put your #1 incoming-spam username in there. Spam clients often try to say "HELO ratty" at me. And now the rest: earthling.net compuserve.com microsoft.com mail.hotmail.com aol.com yahoo.com adelphia.com caramail.com mail.com imail.ru uu.net swbell.net bigfoot.com wanadoo.fr usa.net Unfortunately the boys in Redmond don't read specs as well as they claim so a large portion (perhaps all?) of the hotmail outbound servers call out as "HELO hotmail.com" instead of their FQDN so you can't block against it. There are probably more to add, new ones pop up from time to time, but these are the worst ones I've found in the past 2 years. -Frank On Wed, 14 Jan 2004, Roger Walker wrote: # Some of you may have seen the FAKE_HELO settings in spamassassin # and thought of replacing the check_spamhelo plugin by bumping the scores # on these items extra high, to ensure their rejection, as would have # happened with the check_spamhelo plugin itself. # # However, it seems that those scores are based on a reverse DNS # lookup on the hostname of the sender/From address to determine if the # sending IP (?) or the sender claimed in the HELO (?) matches. # # What happens is that if, say, a Hotmail account sends you email, # it will go through, but if the account sends to an ISP whose user forwards # (automatically) to you, it will fail. # # I figured I would dump the check_spamhelo plugin (which catches a # few messages) in favor of the FAKE_HELO* spamassassin scores bumped up to # 30. Well, it ends up that a lot of messages received here are from these # larger ISPs that are forwarded by accounts at other ISPs. We can't do # that. # # So, if anyone knows of any other entries besides 'aol.com' and # 'yahoo.com' that could be used, please post.
