Hosting Provided By

Re: a small explanation on rule FORGED_RCVD_HELO

From: Matt Kettler <mkettler_sa(at)verizon.net>
Date: Tue Aug 14 2007 - 07:38:05 EDT

Claude Frantz wrote:
> Matt Kettler wrote:
>
>> It looks for a HELO doesn't match against the reverse DNS for the IP
>> address.
>
> Please note the case of clients connected to the network via NAT and
> using dynamic IP addresses. In the general case, such clients do not
> known about the IP address to which one their local address is
> translated using NAT. Such clients cannot set a correct HELO.
Which is one of the many, many, many reasons this rule had a high false positive rate, thus had a low score in 3.1.x and was removed from 3.2.x.

I don't think anyone believes this rule is a good one, and the above facts (mentioned in the very post you replied to) indicate the SA team knows this already. Received on Tue Aug 14 07:39:16 2007

This message: [ Message body ]
Next message: Michael Scheidell: "RE: fake MX records"
Previous message: Randal, Phil: "RE: disable spamhaus rbl?"
In reply to: Claude Frantz: "Re: a small explanation on rule FORGED_RCVD_HELO"
Next in thread: Giampaolo Tomassoni: "R: a small explanation on rule FORGED_RCVD_HELO"
Reply: Giampaolo Tomassoni: "R: a small explanation on rule FORGED_RCVD_HELO"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Oct 24 2007 - 05:18:45 EDT