> I put in a rule to catch this:
> header ODD_PORT_SS Received =~ /from
\[\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\]
> \(port=\d{4} helo=[a-z]{3,6}/
The good old porthelo rule. We have that in the SARE rules someplace. It
hits some ham, but generally not an appreciable amount. You don't even need
to look for the dotquad, you can look for the comment alone and get the same
results.
You do need to change that port check to something like 2,6 these days.
Loren
