Spam Tactics

In my Exim logs this morning I noticed a new tactic spammers have started using.

2006-06-14 14:19:24 SMTP protocol violation: synchronization error (next input sent too soon: pipelining was not advertised): rejected "To: tensai@joanna.zmonkey.org" H=(tensai) [202.1.206.213] next input="..."

I get these every now and again because I don't support pipelining and I have a 4 second delay on my SMTP greeting, but that's not what I'm showing you. The curious part is "H=(tensai)". For quite a while spammers have been using a strange technique of passing a HELO name of the host they connect to. The logic of that really is beyond me, but I really don't care since the way to defeat it is easy. Now they've mutated and the solution to this one is just as simple:

acl_check_rcpt:
  ...
  drop    message = but that's my name
          condition = ${if eq {$sender_helo_name}{$local_part} {yes}{no}}

That config will drop any message where the sender identifies itself as one of my users. There's a small danger that some server's name will actually have the same name as me, but I'm kinda doubtful. Most hosts will use fully qualified names, I would think.

tags: 

Subscribe to Comments for "Spam Tactics" Subscribe to zmonkey.org - All comments