SA Bugzilla – Bug 4889
new rules: detecting same HELO and BY
Last modified: 2019-06-18 17:43:49 UTC
header HELO_BY_SAME X-Spam-Relays-Untrusted =~ /ip=(?!(127\.0\.0\.1|192\.168(\.\d{1,3}){2}|172\.(1[6-9]|2\d|3[01](\.\d{1,3}){2}|10(\.\d{1,3}){3})))\d{2,3}(\.\d{1,3}){3} rdns=[^\[]* helo=([\w\.-]+) by=\7/ describe HELO_BY_SAME HELO is same received MTA's FQDN score HELO_BY_SAME 1.5 header HELO_BY_PARTIALSAME X-Spam-Relays-Untrusted =~ /ip=(?!(127\.0\.0\.1|192\.168(\.\d{1,3}){2}|172\.(1[6-9]|2\d|3[01](\.\d{1,3}){2}|10(\.\d{1,3}){3})))\d{2,3}(\.\d{1,3}){3} rdns=[^\[]* helo=([\w\.-]+) by=[\w\.]+\7/ describe HELO_BY_PARTIALSAME HELO is same received MTA's domain name score HELO_BY_PARTIALSAME 1.5
Created attachment 3497 [details] sample spam: for testing "HELO_BY_SAME" This is a sample spam for testing "HELO_BY_SAME".
Created attachment 3498 [details] sample spam for testing "HELO_BY_PARTIALSAME" This is a sample spam for testing "HELO_BY_PARTIALSAME".
Closing old bugs. This exists as __HELO_AS_VICTIM.