[Sqlgrey-users] Proposal: Include HELO string in tables

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hi there,

I've noticed that some viruses happen to pass the greylisting because they 
"insist" enough with the same From/To/IP_address triplet. However, they don't 
always use the same HELO string (I've seen some that use some machine name, 
always the same, but randomly append .com, .net or .org, which gives 3 
possibilities : machine.com, machine.net or machine.org coming from the same 
IP).

Given that legit mailservers always use the same HELO string ;

Given that some viruses don't, and some spambots use random HELO strings ;

I propose that the HELO string should be added at least to the "connect" table 
and being taken in account as well as the already considered parameters.

I suggest that it could be good to consider adding it to the AWL tables as 
well (may be useful in isolating spam where both a legitimate mailserver and 
unlegitimate zombies come from the same IP address, i.e. a LAN with NAT 
hosting both a legit mailserver and unlegit zombies which shouldn't send mail 
directly).

Cheers.

-- 
Michel Bouissou <mi...@bo...> OpenPGP ID 0xDDE8AC6E