I would say that 99.9% is probably accurate here, and while that's
pretty good, it might cause more issues than benefit depending on your
system if you added extra weight for this condition. There is
unfortunately software out there, or at least configurations that will
insert IP's into the reverse DNS entry and also use that as the HELO.
For instance, if you name your Windows server with an IP'd entry, that
will get used by default in the HELO for MS SMTP if I'm not mistaken.
It would only be 99.9% accurate due to the sheer volume of zombie spam
however that uses this method, but I believe that there are a measurable
number of exceptions that may or may not work in a particular weighting
scheme.
Matt
Colbeck, Andrew wrote:
Kevin, I suspect that you're right, and that 99.9% of the time, your rule
would hold true.
I would suggest that the IP address in the HELO would have to match the
reverse DNS exactly, though.
I also think that it this observation would also hold true if the HELO is an
IP address and there is no reverse lookup, or the reverse lookup times out.
I think running that as a test for a while would bear that out; let us know
if you code that up and want to test it on some more systems...
Andrew 8)
-----Original Message-----
From: Kevin Bilbee [mailto:[EMAIL PROTECTED]
Sent: Saturday, September 18, 2004 12:09 PM
To: [EMAIL PROTECTED]
Subject: [Declude.JunkMail] Idea
I was looking through my smaps and legitimate email. I have noticed an
interesting thing. When there is an ip address in the hello and the hello
matches the reverse dns then it is always spam. I can not find one example
of a legitimate email that has these properties.
What do you think???
I can update my contains ip test to support this type of test also????
Kevin Bilbee
---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list. To unsubscribe,
just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe
Declude.JunkMail". The archives can be found at
http://www.mail-archive.com.
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
--
=====================================================
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=====================================================
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
