Should not I are not testing the email address. I am testing the mail server HELO and RDNS strings. Cellphones does not send directly they relay their messages through a server.
Kevin Bilbee > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Danny Spence > Sent: Tuesday, September 21, 2004 6:49 AM > To: [EMAIL PROTECTED] > Subject: RE: [Declude.JunkMail] Idea > > > > Correct me if I am wrong here, but wouldn't an email sent from a cell > phone or PDA cause this behavior as well? > --- > Danny Spence > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Bilbee > Sent: Monday, September 20, 2004 6:36 PM > To: [EMAIL PROTECTED] > Subject: RE: [Declude.JunkMail] Idea > > Agreed I would never delete on the one test, (except my personal black > list), I would weight the email. A reverse DNS endty should never return > an > ip address. If the HELO is an ip it should should be in the form of > [a.b.c.d] from my understanding. But if I reverse a.b.c.d I should not > get > a.b.c.d I should get host.example.com. If they do not want ot follow > standards that is fine but I am going to add weight to their email. that > is > why I run Declude to weight emails that do not wollow standards. > > I host coorporate email for my promary company and a few sister > companies so > I have the ability to be a little stricter and if I do get a false > positive > I work with the customer/ISP of our customer to fix what is > broken/non-standard. > > > Kevin Bilbee > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] Behalf Of Darin Cox > > Sent: Monday, September 20, 2004 3:20 PM > > To: [EMAIL PROTECTED] > > Subject: Re: [Declude.JunkMail] Idea > > > > > > We've seen some legitimate mailers with an IP for the HELO, which > matches > > the reverse DNS. I certainly wouldn't recommend holding, much less > > deleting, on any one test. > > > > Darin. > > > > > > ----- Original Message ----- > > From: "Kevin Bilbee" <[EMAIL PROTECTED]> > > To: <[EMAIL PROTECTED]> > > Sent: Monday, September 20, 2004 5:41 PM > > Subject: RE: [Declude.JunkMail] Idea > > > > > > 99.9% is good enough and better than most RBLs especially in a > weighted > > system. I have modified my code and am going to test for a few days > using > > the ROUTETO action to inspect te emails for false positives. > > > > If I find the test acceptable I will post a new version of > > contains IP with > > documentation. > > > > > > Thanks to thoes who have given feedback, > > Kevin Bilbee > > > > > -----Original Message----- > > > From: [EMAIL PROTECTED] > > > [mailto:[EMAIL PROTECTED] Behalf Of Matt > > > Sent: Monday, September 20, 2004 2:20 PM > > > To: [EMAIL PROTECTED] > > > Subject: Re: [Declude.JunkMail] Idea > > > > > > > > > I would say that 99.9% is probably accurate here, and while that's > > > pretty good, it might cause more issues than benefit depending on > your > > > system if you added extra weight for this condition. There is > > > unfortunately software out there, or at least configurations that > will > > > insert IP's into the reverse DNS entry and also use that as the > HELO. > > > For instance, if you name your Windows server with an IP'd entry, > that > > > will get used by default in the HELO for MS SMTP if I'm not > mistaken. > > > It would only be 99.9% accurate due to the sheer volume of zombie > spam > > > however that uses this method, but I believe that there are a > measurable > > > number of exceptions that may or may not work in a particular > weighting > > > scheme. > > > > > > Matt > > > > > > > > > > > > Colbeck, Andrew wrote: > > > > > > >Kevin, I suspect that you're right, and that 99.9% of the > > time, your rule > > > >would hold true. > > > > > > > >I would suggest that the IP address in the HELO would have to match > the > > > >reverse DNS exactly, though. > > > > > > > >I also think that it this observation would also hold true if > > > the HELO is an > > > >IP address and there is no reverse lookup, or the reverse lookup > > > times out. > > > > > > > >I think running that as a test for a while would bear that out; > > > let us know > > > >if you code that up and want to test it on some more systems... > > > > > > > >Andrew 8) > > > > > > > >-----Original Message----- > > > >From: Kevin Bilbee [mailto:[EMAIL PROTECTED] > > > >Sent: Saturday, September 18, 2004 12:09 PM > > > >To: [EMAIL PROTECTED] > > > >Subject: [Declude.JunkMail] Idea > > > > > > > > > > > >I was looking through my smaps and legitimate email. I have noticed > an > > > >interesting thing. When there is an ip address in the hello > > and the hello > > > >matches the reverse dns then it is always spam. I can not find > > > one example > > > >of a legitimate email that has these properties. > > > > > > > > > > > >What do you think??? > > > > > > > >I can update my contains ip test to support this type of test > also???? > > > > > > > > > > > > > > > >Kevin Bilbee > > > > > > > > > > > >--- > > > >[This E-mail was scanned for viruses by Declude Virus > > > >(http://www.declude.com)] > > > > > > > >--- > > > >This E-mail came from the Declude.JunkMail mailing list. To > > unsubscribe, > > > >just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe > > > >Declude.JunkMail". The archives can be found at > > > >http://www.mail-archive.com. > > > >--- > > > >[This E-mail was scanned for viruses by Declude Virus > > (http://www.declude.com)] > > > > > >--- > > >This E-mail came from the Declude.JunkMail mailing list. To > > >unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > >type "unsubscribe Declude.JunkMail". The archives can be found > > >at http://www.mail-archive.com. > > > > > > > > > > > > > > > > -- > > ===================================================== > > MailPure custom filters for Declude JunkMail Pro. > > http://www.mailpure.com/software/ > > ===================================================== > > > > --- > > [This E-mail was scanned for viruses by Declude Virus > > (http://www.declude.com)] > > > > --- > > This E-mail came from the Declude.JunkMail mailing list. To > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.JunkMail". The archives can be found > > at http://www.mail-archive.com. > > > > > > > > --- > > [This E-mail was scanned for viruses by Declude Virus > > (http://www.declude.com)] > > > > --- > > This E-mail came from the Declude.JunkMail mailing list. To > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.JunkMail". The archives can be found > > at http://www.mail-archive.com. > > > > --- > > [This E-mail was scanned for viruses by Declude Virus > (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > > > > --- > [This E-mail was scanned for viruses by Declude Virus > (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
