We've seen some legitimate mailers with an IP for the HELO, which matches the reverse DNS. I certainly wouldn't recommend holding, much less deleting, on any one test.
Darin. ----- Original Message ----- From: "Kevin Bilbee" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, September 20, 2004 5:41 PM Subject: RE: [Declude.JunkMail] Idea 99.9% is good enough and better than most RBLs especially in a weighted system. I have modified my code and am going to test for a few days using the ROUTETO action to inspect te emails for false positives. If I find the test acceptable I will post a new version of contains IP with documentation. Thanks to thoes who have given feedback, Kevin Bilbee > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Matt > Sent: Monday, September 20, 2004 2:20 PM > To: [EMAIL PROTECTED] > Subject: Re: [Declude.JunkMail] Idea > > > I would say that 99.9% is probably accurate here, and while that's > pretty good, it might cause more issues than benefit depending on your > system if you added extra weight for this condition. There is > unfortunately software out there, or at least configurations that will > insert IP's into the reverse DNS entry and also use that as the HELO. > For instance, if you name your Windows server with an IP'd entry, that > will get used by default in the HELO for MS SMTP if I'm not mistaken. > It would only be 99.9% accurate due to the sheer volume of zombie spam > however that uses this method, but I believe that there are a measurable > number of exceptions that may or may not work in a particular weighting > scheme. > > Matt > > > > Colbeck, Andrew wrote: > > >Kevin, I suspect that you're right, and that 99.9% of the time, your rule > >would hold true. > > > >I would suggest that the IP address in the HELO would have to match the > >reverse DNS exactly, though. > > > >I also think that it this observation would also hold true if > the HELO is an > >IP address and there is no reverse lookup, or the reverse lookup > times out. > > > >I think running that as a test for a while would bear that out; > let us know > >if you code that up and want to test it on some more systems... > > > >Andrew 8) > > > >-----Original Message----- > >From: Kevin Bilbee [mailto:[EMAIL PROTECTED] > >Sent: Saturday, September 18, 2004 12:09 PM > >To: [EMAIL PROTECTED] > >Subject: [Declude.JunkMail] Idea > > > > > >I was looking through my smaps and legitimate email. I have noticed an > >interesting thing. When there is an ip address in the hello and the hello > >matches the reverse dns then it is always spam. I can not find > one example > >of a legitimate email that has these properties. > > > > > >What do you think??? > > > >I can update my contains ip test to support this type of test also???? > > > > > > > >Kevin Bilbee > > > > > >--- > >[This E-mail was scanned for viruses by Declude Virus > >(http://www.declude.com)] > > > >--- > >This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, > >just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe > >Declude.JunkMail". The archives can be found at > >http://www.mail-archive.com. > >--- > >[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > >--- >This E-mail came from the Declude.JunkMail mailing list. To >unsubscribe, just send an E-mail to [EMAIL PROTECTED], and >type "unsubscribe Declude.JunkMail". The archives can be found >at http://www.mail-archive.com. > > > > -- ===================================================== MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ ===================================================== --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
