Scott,
I think I have figured out what is going on with the RBL and the
0.0.0.0 address business. I have not been able to nab any exact
example, but I think what I did nab below tells the story. The below
e-mail was legitimate and Not SPAM, but it was treated as SPAM.
The long and short is that there is a problem with MAPS and using
HOP/HOP High.
Global.cfg:
HOP 0
HOPHIGH 1
-----------------
Declude Log:
08/02/2002 16:36:26 Qfb50142 HELOBOGUS:2 REVDNS:4 . Total weight = 6
08/02/2002 16:36:26 Qfb50142 Msg failed RBL (This E-mail came from 1.4.11.75, a
potential spam source listed in RBL.).
08/02/2002 16:36:27 Qfb50142 Msg failed HELOBOGUS (Domain B2BWeb1.Resource.MH2.Com has
no MX/A records.).
08/02/2002 16:36:27 Qfb50142 Msg failed REVDNS (This E-mail was sent from a MUA/MTA
65.203.99.90 with no reverse DNS entry.).
08/02/2002 16:36:27 Qfb50142 Subject: MH2BuildPro Order #3079852-000 (jme)
08/02/2002 16:36:27 Qfb50142 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED]
-----------------
Imail Log:
20020802 163616 127.0.0.1 SMTPD (0D7E0142) [64.90.57.60] connect 65.203.99.90
port 3789
20020802 163616 127.0.0.1 SMTPD (0D7E0142) [65.203.99.90] EHLO
B2BWeb1.Resource.MH2.Com
20020802 163616 127.0.0.1 SMTPD (0D7E0142) [65.203.99.90] MAIL
FROM:<[EMAIL PROTECTED]>
20020802 163616 127.0.0.1 SMTPD (0D7E0142) [65.203.99.90] RCPT
TO:<[EMAIL PROTECTED]>
20020802 163617 127.0.0.1 SMTPD (0D7E0142) [65.203.99.90]
D:\IMail\spool\Dfb50142.SMD
-----------------
Headers:
Received: from B2BWeb1.Resource.MH2.Com [65.203.99.90] by Leitos.com with ESMTP
(SMTPD32-6.06) id AB50D7E0142; Fri, 02 Aug 2002 16:36:16 -0500
Received: from daa21301www003.cus.drtn.corp ([1.4.11.75]) by B2BWeb1.Resource.MH2.Com
with Microsoft SMTPSVC(5.0.2195.4905);
Fri, 2 Aug 2002 16:36:15 -0500
Received: from mail pickup service by daa21301www003.cus.drtn.corp with Microsoft
SMTPSVC;
Fri, 2 Aug 2002 16:35:57 -0500
From: <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Subject: MH2BuildPro Order #3079852-000 (jme)
Date: Fri, 2 Aug 2002 16:35:56 -0500
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_2458_01C23A42.AD429670"
X-Priority: 1
X-MSMail-Priority: High
Importance: High
X-FONT: COURIER
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300
Message-ID: <[EMAIL PROTECTED]>
X-OriginalArrivalTime: 02 Aug 2002 21:35:57.0152 (UTC) FILETIME=[96410E00:01C23A6C]
Return-Path: [EMAIL PROTECTED]
X-Declude-Sender: [EMAIL PROTECTED] [65.203.99.90]
X-Declude-Spoolname: Dfb50142.SMD
X-Note: This E-mail was sent from [No Reverse DNS] ([65.203.99.90]).
X-Note: Failed: RBL, HELOBOGUS, REVDNS - Total Weight: 6.
X-Note: Checked for SPAM and Viruses by Internet Concepts -
http://www.inetconcepts.net.
-----------------
You'll note that this was killed due to the RBL failing on HOP HIGH.
Declude did what it was suppose to do.
MAPS has Blackholed most all of the IANA reserved addresses, which are
defined at http://www.iana.org/assignments/ipv4-address-space. But,
they have NOT Blackholed the RFC1918 private addresses.
Checking HOP 1 does reduce SPAM. So, is it possible to not check MAPS
when greater than HOP zero is an IANA or RFC1918 reserved address?
Also, can you write to the log when it does fail a HOP > 0? That would
make it much easier to quantify the value of this test and to examine
them more closely.
I checked all of the following blocks, using the MAPS lookup and found
the following:
Legend:
x = Verified as Blackholed
* = Verified as Not Blackholed
IANA Reserved:
x 000/8 IANA - Reserved Sep 81
x 001/8 IANA - Reserved Sep 81
x 002/8 IANA - Reserved Sep 81
x 005/8 IANA - Reserved Jul 95
x 007/8 IANA - Reserved Apr 95
x 023/8 IANA - Reserved Jul 95
x 027/8 IANA - Reserved Apr 95
* 031/8 IANA - Reserved Apr 99
x 036/8 IANA - Reserved Jul 00
x 037/8 IANA - Reserved Apr 95
x 039/8 IANA - Reserved Apr 95
x 041/8 IANA - Reserved May 95
x 042/8 IANA - Reserved Jul 95
x 058/8 IANA - Reserved Sep 81
x 059/8 IANA - Reserved Sep 81
x 060/8 IANA - Reserved Sep 81
x 069-079/8 IANA - Reserved Sep 81
x 082-095/8 IANA - Reserved Sep 81
x 096-126/8 IANA - Reserved Sep 81
* 127/8 IANA - Reserved Sep 81
* 197/8 IANA - Reserved May 93
x 222-223/8 IANA - Reserved Sep 81
* 240-255/8 IANA - Reserved Sep 81
RFC1918 Reserved Addresses:
* 10.0.0.0 - 10.255.255.255 (10/8 prefix)
* 172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
* 192.168.0.0 - 192.168.255.255 (192.168/16 prefix)
This is the text that MAPS returns on thier site for those verified "x" above:
"This network address is reserved by the Internet Assigned Numbers
Authority (IANA). No Internet traffic should originate from this
address. Any packets with this source address can be assumed to
be forged.
References:
The IANA Home Page
<http://www.isi.edu/div7/iana/>
IP v4 Address Space
<http://www.isi.edu/in-notes/iana/assignments/ipv4-address-space>"
Thanks,
----
Don Brown - Dallas, Texas USA Internet Concepts, Inc.
[EMAIL PROTECTED] http://www.inetconcepts.net
PGP Key ID: 04C99A55 (972) 788-2364 Fax: (972) 788-5049
Providing Internet Solutions Worldwide - An eDataWeb Affiliate
----
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
