Dan, let me take a stab at an explanation. The SPAMDOMAINS test was
implemented to help catch spammers that use frequently forged/abused domains
in their spam messages, domains like yahoo.com, hotmail.com, aol.com,
juno.com, etc. These large mail providers typically have DNS records that
are setup correctly so that they provide proper forward (A records), reverse
(PTR records), and mail exchanger (MX records) for their zones. Because
their DNS configurations are setup correctly, you can query them and get
accurate, and usually matching, forward and reverse lookups against their
mail exchangers (MXs).
So, the way to use the SPAMDOMAINS test is define the test in the Global.cfg
file:
SPAMDOMAINS spamdomains M:\IMail\Declude\SpamDomains.txt x 10 0
and create a SpamDomains.txt file with the commonly forged domains that will
resolve correctly if queried. Here is the list of domains I currently have
listed in my SpamDomains.txt file:
==========
amazon.com
ameritech.net
aol.com
apple.com
@att. .att.
attbi.com
bellsouth.net
charter.net
comcast.
compuserve.com
concentric. .cnchost.com
@cox. .cox.
@cs.com .aol.com
earthlink.
excite.com
geocities.com .yahoo.com
gte. .verizon.
@hotmail.com .hotmail.com
juno.com .untd.com
lycos.com
microsoft.com
mindspring.
msn.com .hotmail.com
netscape. .aol.com
netzero. .untd.com
prodigy.
@psi. .psi.
qwest. .uswest.
.rr.com
sbc.com
swbell.net .prodigy.net
verio.
verizon. .bellatlantic.
yahoo.
==========
The way the test works is by defining, for example, "yahoo." in the
SpamDomains.txt file, any message that IMail receives that claims to be from
a "yahoo." e-mail address should also be sent by an IP address of one of
Yahoo's mail servers. So what Declude JM does is query your DNS for the PTR
record of the IP address that delivered the message to see if it response
with a "yahoo." mail server record. If it does, no weight is added to the
message because it was actually delivered by a yahoo mail server (doesn't me
an it's not spam being sent and delivered by a yahoo e-mail customer, but at
least it is not a forged domain). However, if does _NOT_ come back with a
Yahoo record, then whatever weight you defined for the test in the
Global.cfg file will be applied to the message (because the from domain is
forged and more likely spam).
For those e-mail domains that can respond with other domain records, you can
define one additional domain that the e-mail domain can respond with and
still be considered legitimate. For example:
juno.com .untd.com
When the PTR record is queried, if the response contains either juno.com or
.untd.com, the message is consider legit and no weight is applied. If the
response is anything else, the message weight would again be increased by
your define test weight.
HTH,
Bill
----- Original Message -----
From: "Dan Geiser" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, June 11, 2003 2:56 PM
Subject: [Declude.JunkMail] Using SPAMDOMAINS Test
> Hello, All,
> I've been trying to read all the messages related to this test and I'm
> having a hard time understanding what exactly the test is, i.e. what
purpose
> it serves, and how I go about putting it in place. Sometimes I feel like
> there's another secret discussion list at a lower-level which I'm not
privy
> to which these issues are discussed on. I hope that's not the case.
>
> Anyway I searched the entire e-mail archive which I have created since I
> subscribed in February and also read the release notes and I still don't
> understand what it is and how to implement it. Does anyone feel the same
> way that I do?
>
> When a new text is introduced isn't there some way you can spell it out in
> exact detail which files have to be edited and what entries need to be
added
> to put a new test into play? Also, can't a brief description of the test
be
> written up with a clear real-world example of how exactly it works?
Perhaps
> it's just my own stupdity but I'm having trouble gleaming the necessary
> information from the resources (Manual, Release Notes and Discussion List)
> which are at my disposal.
>
> Obviously there are some people on this list who don't work for
Computerized
> Horizons yet manage to "get" these tests right out of the starting gate.
I
> don't understand how people are making these leaps in syntax and logic
with
> the dribs and drabs and shreds of information that we are given to go on.
> Can somone help me?
>
> All feedback and spoon-feeding is appreciated.
>
> Thanks,
> Dan
>
>
> ====================================================================
> This E-mail is scanned and free from viruses. www.nexustechgroup.com
>
> ---
> [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]
>
> ---
> This E-mail came from the Declude.JunkMail mailing list. To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail". The archives can be found
> at http://www.mail-archive.com.
>
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
