Danger, Will Robinson! Danger! Darin, thank you pointing out that qualifying a domain name with a prepended period is a solid best practice, and I'll add that it is mandatory to get the expected results when one uses a SPAMDOMAINS test.
However, this ComCast example is NOT a recommended action, as it will still have the flaw I cited earlier, i.e. that you would be counterweighting their mailhosts all right, but also all of the zombies on their highly infested cable subscriber network. Andrew 8) > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox > Sent: Thursday, September 08, 2005 9:46 AM > To: Declude.JunkMail@declude.com > Subject: Re: [Declude.JunkMail] How to credit a domain > > Might want to make it > > REVDNS -100 ENDSWITH .ComCast.net > > instead of > > REVDNS -100 ENDSWITH ComCast.net > > (note the period before comcast.net) > > That way spamcomcast.net won't match when you don't want it to. > > Darin. > > > ----- Original Message ----- > From: "Colbeck, Andrew" <[EMAIL PROTECTED]> > To: <Declude.JunkMail@declude.com> > Sent: Thursday, September 08, 2005 12:37 PM > Subject: RE: [Declude.JunkMail] How to credit a domain > > > Oop, there was one other thing. > > I try to avoid the temptation of counterweighting a fragment of their > reverse DNS. > > For example, if there were a ComCast.net mailhost problem > that I wanted > to counterweight, it would be tempting to add: > > REVDNS -100 ENDSWITH ComCast.net > > Which would accomplish the goal, but that the same time as > letting in a > tidal wave of spam from zombies on their cable subscriber network! > > That all being said, I also have a very few Declude PRO filter text > files that accomplish counterweighting for problematic > domains that need > help to get their mail through my setup, but whose complexity to keep > the spam out preclude it from going in my mixed bag of counterweights. > > Andrew 8) > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of > > Colbeck, Andrew > > Sent: Thursday, September 08, 2005 9:31 AM > > To: Declude.JunkMail@declude.com > > Subject: RE: [Declude.JunkMail] How to credit a domain > > > > Hi, Goran. > > > > I like to counterweight based on their IP for a couple of > > reasons. The first is that if their administration is not up > > to par (so that I have to counterweight them), the odds are > > good that their revdns is flawed or that their DNS is subject > > to timeouts. > > > > I also find that, as a practical matter, a company is as > > likely to change their IP as their revdns so neither is more > > "stable" than the other. > > > > Third, a lot of the companies with this kind of problem also > > fail REVDNS anyway! > > > > Last, larger companies can sometimes easily be spotted in > > SenderBase.org as having all of their mailhosts on a small > > subnet and I can use a REMOTEIP CIDR mask. > > > > Andrew 8) > > > > > > > > > -----Original Message----- > > > From: [EMAIL PROTECTED] > > > [mailto:[EMAIL PROTECTED] On Behalf Of Goran > > > Jovanovic > > > Sent: Thursday, September 08, 2005 9:22 AM > > > To: Declude.JunkMail@declude.com > > > Subject: RE: [Declude.JunkMail] How to credit a domain > > > > > > Andrew, > > > > > > Why would you counterweight their IP and not the REVDNS? It > > seems that > > > it is basically the same thing? > > > > > > > > > Goran Jovanovic > > > The LAN Shoppe > > > > > > > > > > > > > -----Original Message----- > > > > From: [EMAIL PROTECTED] > > [mailto:Declude.JunkMail- > > > > [EMAIL PROTECTED] On Behalf Of Colbeck, Andrew > > > > Sent: Thursday, September 08, 2005 11:52 AM > > > > To: Declude.JunkMail@declude.com > > > > Subject: RE: [Declude.JunkMail] How to credit a domain > > > > > > > > Goran, I have consistently found that providers that handle > > > mail for > > > > other companies are reliable enough that I can merely > > counterweight > > > > their IP. I hardly ever trust their reverse DNS, and even > > > less often > > > > the HELO. > > > > > > > > I have a last resort test where I have a mixed bag of > > > counterweights. > > > > > > > > Andrew 8) > > > > > > > > > > > > > -----Original Message----- > > > > > From: [EMAIL PROTECTED] > > > > > [mailto:[EMAIL PROTECTED] On Behalf > Of Goran > > > > > Jovanovic > > > > > Sent: Thursday, September 08, 2005 8:33 AM > > > > > To: Declude.JunkMail@declude.com > > > > > Subject: [Declude.JunkMail] How to credit a domain > > > > > > > > > > Hi all, > > > > > > > > > > I get messages like this all the time and I am always in > > > a dilemma > > > > > on what to do about them. This is a legit mail that > > > scored 10 (where > > > > > I start tagging mail). > > > > > > > > > > -------------------------------------------------------------- > > > > > ---------- > > > > > - > > > > > Received: from mx.dstsystems.com [204.167.177.68] by > > > > > mail1.gonetworks.net with ESMTP (SMTPD32-8.13) id > > > AAD8195300F2; Wed, > > > > > 07 Sep 2005 15:09:12 -0400 > > > > > > > > > > X-RBL-Warning: HELOBOGUS: Domain mx.dstsystems.com has > > no MX or A > > > > > records [0301]. > > > > > > > > > > X-Declude-Sender: [EMAIL PROTECTED] [204.167.177.68] > > > > > > > > > > X-Note: Reverse DNS: Sent from dstsys-cp.dstsystems.com > > > > > ([204.167.177.68]). > > > > > > > > > > X-Note: Tests Failed: CMDSPACE [8], HELOBOGUS [5], > > NOLEGITCONTENT > > > > > [0], SIZE-S [0] > > > > > -------------------------------------------------------------- > > > > > ---------- > > > > > - > > > > > > > > > > So this mail came from domain dstsystems.com on the IP > > > > > 204.167.177.68 but it is from domain ifdsgroup.com. Now > > > my preferred > > > > > method of dealing with this type of problem is to > > credit based on > > > > > REVDNS. Again in this case there is a good REVDNS but it > > > is not from > > > > > the same domain as the MAILFROM (if it was then I > would have no > > > > > problem in crediting the REVDNS). > > > > > > > > > > So is there a way to figure out if dstsystems.com is a e-mail > > > > > hosting company and then I would not want to credit the > > > REVDNS as I > > > > > do not know what other domains they host. > > > > > > > > > > If I cannot figure out the link then I would not credit > > > REVDNS and > > > > > would move to step 2. Credit HELO. HELOs can be spoofed > > > but in this > > > > > case the HELO is basically the same as the > > > REVDNS. > > > > > > > > > > Next step is crediting MAILFROM. This I can do with the > > > > > ifdsgroup.com and lower the score for e-mail from this > > > domain. Again > > > > > it can be spoofed but ... > > > > > > > > > > I would prefer to credit REVDNS as that cannot be spoofed > > > but I am > > > > > leery of crediting an "unknown" domain when it does not > > relate to > > > > > the MAILFROM address. > > > > > > > > > > Any thoughts on how (if possible) to connect the two domains? > > > > > Or do I simply drop down to option 3 and credit MAILFROM? > > > I suppose > > > > > that I could try and figure out the admin responsible for > > > > > dstsystems.com and tell them to fix the HELOBOGUS error > > in which > > > > > case my problems would (mostly) go away. > > > > > > > > > > Any thoughts and comments are appreciated. > > > > > > > > > > Thanks > > > > > > > > > > > > > > > Goran Jovanovic > > > > > The LAN Shoppe > > > > > --- > > > > > This E-mail came from the Declude.JunkMail mailing list. To > > > > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], > > > and type > > > > > "unsubscribe Declude.JunkMail". The archives can be found at > > > > > http://www.mail-archive.com. > > > > > > > > > --- > > > > This E-mail came from the Declude.JunkMail mailing list. To > > > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], > > and type > > > > "unsubscribe Declude.JunkMail". The archives can be found at > > > > http://www.mail-archive.com. > > > --- > > > This E-mail came from the Declude.JunkMail mailing list. To > > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], > and type > > > "unsubscribe Declude.JunkMail". The archives can be found at > > > http://www.mail-archive.com. > > > > > --- > > This E-mail came from the Declude.JunkMail mailing list. To > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.JunkMail". The archives can be > > found at http://www.mail-archive.com. > > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
