Ahh, I get it. But it would have to compare the REMOTEIP to the HELO string, not to the REVDNS. Because "styggen.com" in the header below indicates the HELO string sent by the remote mail server, rather than the REVDNS value.
> Received: from styggen.com [24.208.153.243] by mx2.spamsoap.com It would be difficult to maintain an accurate list of ISP CIDRs though. So what about a variation of this idea where the test would force REVDNS and HELO strings to contain a partial match. For example, an entry like this... .rr.com .rr.net ...would required a REVDNS that contains ".rr.com", to use a HELO string containing either ".rr.com" or ".rr.net". Or perhaps the other way around. Bill -----Original Message----- From: Dan Patnode Sent: 08 Jun 2003 12:47:11 -0700 Subject: Re: [Declude.JunkMail] SpamIPs Test Idea Thanks for the question Bill, Looking back at my original posting, I showed RNDS, then said "all the domains those IPs use". The intent is to ignore MAILFROM (which Spam Domains already checks) and compare only IP with RDNS. Scott, Would that still be effective? Dan On Sunday, June 8, 2003 11:49, Bill B. <[EMAIL PROTECTED]> wrote: >I'm not sure that I agree with this test. I use Earthlink DSL >at home, and I never send out emails using my "@earthlink.net" >address. I always use my personal or business address, neither >of which are provided by Earthlink. > >I'd bet that a large percentage of DSL, Cable and Dial-up >customers do not use the email account that their ISP provides, >but they use their ISP's outgoing mail server because they are >forced to due to port 25 filtering. > >Bill > > >-----Original Message----- >From: "R. Scott Perry" >Sent: Sun, 08 Jun 2003 09:36:56 -0400 >Subject: Re: [Declude.JunkMail] SpamIPs Test Idea > > > >>Another idea for a new test, a close cousin to the SpamDomains test: >> >> >Received: from styggen.com [24.208.153.243] by mx2.spamsoap.com >> >(SMTPD32-7.15) id A288E80090; Fri, 06 Jun 2003 10:42:32 -0700 >> >>This message came from a road runner IP. How about a test where we build >>a list of CIDRs for a given ISP, then match it with all the domains those >>IPs use. In this case, the file entry would be (I know rr doesn't use .net) >> >>24.208.0.0/14 rr.com rr.net >> >>In this case, it would match the IP, look for both RR entries, find >>styggen.com and fail the message. > >That's a pretty neat idea. That would work well for ISPs that don't allow >their customers to run a mailserver, as it would provide an easy way to >catch (most) mail from spammers on their networks, while allowing the >legitimate E-mail through. > > -Scott >--- >Declude JunkMail: The advanced anti-spam solution for IMail mailservers. >Declude Virus: Catches known viruses and is the leader in mailserver >vulnerability detection. >Find out what you have been missing: Ask for a free 30-day >evaluation. > >--- >[This E-mail was scanned for viruses by Declude Virus >(http://www.declude.com)] > >--- >This E-mail came from the Declude.JunkMail mailing list. To >unsubscribe, just send an E-mail to [EMAIL PROTECTED], and >type "unsubscribe Declude.JunkMail". The archives can be found >at http://www.mail-archive.com. > > > >--- >[This E-mail was scanned for viruses by Declude Virus >(http://www.declude.com)] > >--- >This E-mail came from the Declude.JunkMail mailing list. To >unsubscribe, just send an E-mail to [EMAIL PROTECTED], and >type "unsubscribe Declude.JunkMail". The archives can be found >at http://www.mail-archive.com. > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
