Note... some of the bogons are very safe and have been built into the Message Sniffer rule base - in fact there are a surprising number of captures on these rules! (no FPs reported yet)
The safest ones are the multicast IP ranges. There's no good reason for any email to ever be received (anywhere along the chain) from one of these IP groups, but there are a surprising number of spam that show up with forged received headers including these IPs. Some of these groups might make good built-in Declude tests I think. _M Pete McNeil (Madscientist) President, MicroNeil Research Corporation. Chief SortMonster (www.sortmonster.com) |-----Original Message----- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] On Behalf Of |Colbeck, Andrew |Sent: Tuesday, September 23, 2003 4:39 PM |To: '[EMAIL PROTECTED]' |Subject: RE: [Declude.JunkMail] Bogus IP in headers | | |I've been looking at a "new" test (hey, new to me and also the |Declude list of ip4r tests) at: | |http://www.cymru.com/Bogons/ | |Which lists, and hosts an ip4r test for, address ranges that |are not routeable on the Internet. It includes the classic |ranges like 10.0.0.0/8 and 192.168.0.0/16 as well lots of others. | |The problem of course is that any of these can be private |addresses used by mail servers. My own mail server would fail |this count if someone's hop settings were too aggressive. | |Perhaps it would be useful if declude.exe was designed to only |use it on the first hop from the Internet so as to catch |improperly routed/spoofed messages? | |Andrew... |--- |[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
