Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1529
Views
0
Helpful
1
Replies

spamming from zombies

poffio_ironport
Level 1
Level 1

‎10-12-2007 10:44 AM

hi,
in our organization (italian ISP) we have ten ironport appliance for relay service of our customers.
In last weeks we are receiving a lot of spam from clients probably infected by worms.
These messages are not blocked from IPAS.
The bodies, senders, recipients ed subjects change continuosly. It's an hard work for us insert filters every few hours.
All messages have a similar entry in the header. After the ehlo the worm insert a variable number of digit (from 4 to 8 digit).
For example:
EHLO 8035583
EHLO 5516357
EHLO 5649719

Is it possibile to insert a filter that drops connections if after helo a numeric value is inserted ?

Thanks for your help.
Fabio.

Labels:
0 Helpful
1 Reply 1

Mark [CSE]_ironport
Level 1
Level 1

‎10-16-2007 10:34 AM

You cannot filter on the HELO line in the SMTP session. Content or message filter are no able to parse this information.

You can only submit the samples to help us improve our IPAS rules.

Best Regards,

Mark

0 Helpful
Customers Also Viewed These Support Documents