On 4/12/2011 3:19 AM, Bernhard Rohrer wrote:
My first port of call here would be to enable features like
- DKIM
- SPF
- reverse DNS lookup for the connecting host, where several things can be done:
Nope. This class of spammers carefully follow the RFCs and
use SPF and DKIM.
- match connecting IP to hostname in helo or mail from
- match connecting ip to claimed sending domain in helo or mail from (check MX
and A)
Such a test would have a horribly high false positive rate.
There is no requirement for these to match, and many legit
hosts would fail such tests. Many legit hosts handle mail for
multiple domains; many legit domains have separate incoming
and outgoing servers, sometimes even on different networks.
And ultimately, even these extreme checks are ineffective
against this class of spammer since they carefully set up one
domain per IP, with all the bits matching.
this will take care of a lot of snowshoe attacks.
Not in my world.
-- Noel Jones
cheers
Bernhard
