Good point. I wasn't thinking about the domain in question, only the practice, and didn't go so far as to mention that for ISP domains like this, we prefer to counterweight by MAILFROM on the exact email address rather than REVDNS.
It's all about being as narrow as possible where there's room for abuse... Darin. ----- Original Message ----- From: "Colbeck, Andrew" <[EMAIL PROTECTED]> To: <Declude.JunkMail@declude.com> Sent: Thursday, September 08, 2005 12:58 PM Subject: RE: [Declude.JunkMail] How to credit a domain Danger, Will Robinson! Danger! Darin, thank you pointing out that qualifying a domain name with a prepended period is a solid best practice, and I'll add that it is mandatory to get the expected results when one uses a SPAMDOMAINS test. However, this ComCast example is NOT a recommended action, as it will still have the flaw I cited earlier, i.e. that you would be counterweighting their mailhosts all right, but also all of the zombies on their highly infested cable subscriber network. Andrew 8) > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox > Sent: Thursday, September 08, 2005 9:46 AM > To: Declude.JunkMail@declude.com > Subject: Re: [Declude.JunkMail] How to credit a domain > > Might want to make it > > REVDNS -100 ENDSWITH .ComCast.net > > instead of > > REVDNS -100 ENDSWITH ComCast.net > > (note the period before comcast.net) > > That way spamcomcast.net won't match when you don't want it to. > > Darin. > > > ----- Original Message ----- > From: "Colbeck, Andrew" <[EMAIL PROTECTED]> > To: <Declude.JunkMail@declude.com> > Sent: Thursday, September 08, 2005 12:37 PM > Subject: RE: [Declude.JunkMail] How to credit a domain > > > Oop, there was one other thing. > > I try to avoid the temptation of counterweighting a fragment of their > reverse DNS. > > For example, if there were a ComCast.net mailhost problem > that I wanted > to counterweight, it would be tempting to add: > > REVDNS -100 ENDSWITH ComCast.net > > Which would accomplish the goal, but that the same time as > letting in a > tidal wave of spam from zombies on their cable subscriber network! > > That all being said, I also have a very few Declude PRO filter text > files that accomplish counterweighting for problematic > domains that need > help to get their mail through my setup, but whose complexity to keep > the spam out preclude it from going in my mixed bag of counterweights. > > Andrew 8) > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of > > Colbeck, Andrew > > Sent: Thursday, September 08, 2005 9:31 AM > > To: Declude.JunkMail@declude.com > > Subject: RE: [Declude.JunkMail] How to credit a domain > > > > Hi, Goran. > > > > I like to counterweight based on their IP for a couple of > > reasons. The first is that if their administration is not up > > to par (so that I have to counterweight them), the odds are > > good that their revdns is flawed or that their DNS is subject > > to timeouts. > > > > I also find that, as a practical matter, a company is as > > likely to change their IP as their revdns so neither is more > > "stable" than the other. > > > > Third, a lot of the companies with this kind of problem also > > fail REVDNS anyway! > > > > Last, larger companies can sometimes easily be spotted in > > SenderBase.org as having all of their mailhosts on a small > > subnet and I can use a REMOTEIP CIDR mask. > > > > Andrew 8) > > > > > > > > > -----Original Message----- > > > From: [EMAIL PROTECTED] > > > [mailto:[EMAIL PROTECTED] On Behalf Of Goran > > > Jovanovic > > > Sent: Thursday, September 08, 2005 9:22 AM > > > To: Declude.JunkMail@declude.com > > > Subject: RE: [Declude.JunkMail] How to credit a domain > > > > > > Andrew, > > > > > > Why would you counterweight their IP and not the REVDNS? It > > seems that > > > it is basically the same thing? > > > > > > > > > Goran Jovanovic > > > The LAN Shoppe > > > > > > > > > > > > > -----Original Message----- > > > > From: [EMAIL PROTECTED] > > [mailto:Declude.JunkMail- > > > > [EMAIL PROTECTED] On Behalf Of Colbeck, Andrew > > > > Sent: Thursday, September 08, 2005 11:52 AM > > > > To: Declude.JunkMail@declude.com > > > > Subject: RE: [Declude.JunkMail] How to credit a domain > > > > > > > > Goran, I have consistently found that providers that handle > > > mail for > > > > other companies are reliable enough that I can merely > > counterweight > > > > their IP. I hardly ever trust their reverse DNS, and even > > > less often > > > > the HELO. > > > > > > > > I have a last resort test where I have a mixed bag of > > > counterweights. > > > > > > > > Andrew 8) > > > > > > > > > > > > > -----Original Message----- > > > > > From: [EMAIL PROTECTED] > > > > > [mailto:[EMAIL PROTECTED] On Behalf > Of Goran > > > > > Jovanovic > > > > > Sent: Thursday, September 08, 2005 8:33 AM > > > > > To: Declude.JunkMail@declude.com > > > > > Subject: [Declude.JunkMail] How to credit a domain > > > > > > > > > > Hi all, > > > > > > > > > > I get messages like this all the time and I am always in > > > a dilemma > > > > > on what to do about them. This is a legit mail that > > > scored 10 (where > > > > > I start tagging mail). > > > > > > > > > > -------------------------------------------------------------- > > > > > ---------- > > > > > - > > > > > Received: from mx.dstsystems.com [204.167.177.68] by > > > > > mail1.gonetworks.net with ESMTP (SMTPD32-8.13) id > > > AAD8195300F2; Wed, > > > > > 07 Sep 2005 15:09:12 -0400 > > > > > > > > > > X-RBL-Warning: HELOBOGUS: Domain mx.dstsystems.com has > > no MX or A > > > > > records [0301]. > > > > > > > > > > X-Declude-Sender: [EMAIL PROTECTED] [204.167.177.68] > > > > > > > > > > X-Note: Reverse DNS: Sent from dstsys-cp.dstsystems.com > > > > > ([204.167.177.68]). > > > > > > > > > > X-Note: Tests Failed: CMDSPACE [8], HELOBOGUS [5], > > NOLEGITCONTENT > > > > > [0], SIZE-S [0] > > > > > -------------------------------------------------------------- > > > > > ---------- > > > > > - > > > > > > > > > > So this mail came from domain dstsystems.com on the IP > > > > > 204.167.177.68 but it is from domain ifdsgroup.com. Now > > > my preferred > > > > > method of dealing with this type of problem is to > > credit based on > > > > > REVDNS. Again in this case there is a good REVDNS but it > > > is not from > > > > > the same domain as the MAILFROM (if it was then I > would have no > > > > > problem in crediting the REVDNS). > > > > > > > > > > So is there a way to figure out if dstsystems.com is a e-mail > > > > > hosting company and then I would not want to credit the > > > REVDNS as I > > > > > do not know what other domains they host. > > > > > > > > > > If I cannot figure out the link then I would not credit > > > REVDNS and > > > > > would move to step 2. Credit HELO. HELOs can be spoofed > > > but in this > > > > > case the HELO is basically the same as the > > > REVDNS. > > > > > > > > > > Next step is crediting MAILFROM. This I can do with the > > > > > ifdsgroup.com and lower the score for e-mail from this > > > domain. Again > > > > > it can be spoofed but ... > > > > > > > > > > I would prefer to credit REVDNS as that cannot be spoofed > > > but I am > > > > > leery of crediting an "unknown" domain when it does not > > relate to > > > > > the MAILFROM address. > > > > > > > > > > Any thoughts on how (if possible) to connect the two domains? > > > > > Or do I simply drop down to option 3 and credit MAILFROM? > > > I suppose > > > > > that I could try and figure out the admin responsible for > > > > > dstsystems.com and tell them to fix the HELOBOGUS error > > in which > > > > > case my problems would (mostly) go away. > > > > > > > > > > Any thoughts and comments are appreciated. > > > > > > > > > > Thanks > > > > > > > > > > > > > > > Goran Jovanovic > > > > > The LAN Shoppe > > > > > --- > > > > > This E-mail came from the Declude.JunkMail mailing list. To > > > > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], > > > and type > > > > > "unsubscribe Declude.JunkMail". The archives can be found at > > > > > http://www.mail-archive.com. > > > > > > > > > --- > > > > This E-mail came from the Declude.JunkMail mailing list. To > > > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], > > and type > > > > "unsubscribe Declude.JunkMail". The archives can be found at > > > > http://www.mail-archive.com. > > > --- > > > This E-mail came from the Declude.JunkMail mailing list. To > > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], > and type > > > "unsubscribe Declude.JunkMail". The archives can be found at > > > http://www.mail-archive.com. > > > > > --- > > This E-mail came from the Declude.JunkMail mailing list. To > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.JunkMail". The archives can be > > found at http://www.mail-archive.com. > > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
