[Esd-l] Useful virus trap

John D. Hardin jhardin at impsec.org
Tue Jun 15 06:02:57 PDT 2004

On Tue, 15 Jun 2004, Marcus Williams wrote:

> Not sure if this is of any use to anyone, but it works really well
> here...
> Basically, mail from our domain (quintic.co.uk) never comes from a
> machine called quintic.co.uk, so the received lines in all
> incoming emails should never contain a "HELO quintic.co.uk"
> What I have noticed is a fair few viruses use the "HELO
> recipient.domain" as the identifying domain when sending automated
> virii to us

That general model can be very useful - e.g. reject messages where the
HELO is from your domain and the client's IP is from the outside.

This sort of thing is best done in the MTA, so that the message can be
rejected right away rather than accepting it and filtering it later,
but it's still useful to have in procmail - remember, defense in

You should also look into publishing SPF records, and enabling SPF
checks in your MTA.


 John Hardin KA7OHZ    ICQ#15735746    http://www.impsec.org/~jhardin/
 jhardin at impsec.org    FALaholic #11174    pgpk -a jhardin at impsec.org
 key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
  The [assault weapons] ban is the moral equivalent of banning red
  cars because they look too fast.
                                   -- Steve Chapman, Chicago Tribune
   91 days until the "Scary-Looking Guns" ban expires

More information about the esd-l mailing list