hi,
in our organization (italian ISP) we have ten ironport appliance for relay service of our customers.
In last weeks we are receiving a lot of spam from clients probably infected by worms.
These messages are not blocked from IPAS.
The bodies, senders, recipients ed subjects change continuosly. It's an hard work for us insert filters every few hours.
All messages have a similar entry in the header. After the ehlo the worm insert a variable number of digit (from 4 to 8 digit).
For example:
EHLO 8035583
EHLO 5516357
EHLO 5649719
Is it possibile to insert a filter that drops connections if after helo a numeric value is inserted ?
Thanks for your help.
Fabio.