RE: [Declude.JunkMail] SpamIPs Test Idea
One other thing to think about. My workstation is in my home office. My mail server is at my NOC. I have a VPN setup between my home office and the NOC for administration of the servers. Any mail I send shows a remote IP of my private address, sense my mail server received it through the VPN. John Tolmachoff MCSE CSSA Engineer/Consultant eServices For You www.eservicesforyou.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] SpamIPs Test Idea
Yes Bill, HELO not RDNS (that keyboard virus sure gets around). I've been running a "BadIP" list for some time that maps the CIDRs of many ISPs (broadband ranges in particular). With 2500 entries, its on the heavy side but when a new range appears, the spammers find it and tell me about it. SpamIPs would essentially be a smart version of this. Interesting, comparing RDNS to HELO! Essentially, every comparison test is battling the same problem, forged headers. Spammers have software with fields for typing in all these things and they plug away. If we total them, the number of possible comparisons is awesome: MAILFROM vs HELO(Spam Domains) IP vs HELO(SpamIPs) RDNS vs HELO RNDS vs MAILFROM IP vs RDNS IP vs MAILFROM I like the first 3, Scott can pick the one(s) he likes best. :) Dan On Sunday, June 8, 2003 12:44, Bill B. <[EMAIL PROTECTED]> wrote: >Ahh, I get it. But it would have to compare the REMOTEIP to the >HELO string, not to the REVDNS. Because "styggen.com" in the >header below indicates the HELO string sent by the remote mail >server, rather than the REVDNS value. > >> Received: from styggen.com [24.208.153.243] by >mx2.spamsoap.com > >It would be difficult to maintain an accurate list of ISP CIDRs >though. So what about a variation of this idea where the test >would force REVDNS and HELO strings to contain a partial match. > For example, an entry like this... > >..rr.com .rr.net > >would required a REVDNS that contains ".rr.com", to use a >HELO string containing either ".rr.com" or ".rr.net". Or >perhaps the other way around. > >Bill > > >-Original Message- >From: Dan Patnode >Sent: 08 Jun 2003 12:47:11 -0700 >Subject: Re: [Declude.JunkMail] SpamIPs Test Idea > > >Thanks for the question Bill, > >Looking back at my original posting, I showed RNDS, then said >"all the domains those IPs use". The intent is to ignore >MAILFROM (which Spam Domains already checks) and compare only >IP with RDNS. > > >Scott, > >Would that still be effective? > > >Dan > > >On Sunday, June 8, 2003 11:49, Bill B. <[EMAIL PROTECTED]> wrote: >>I'm not sure that I agree with this test. I use Earthlink DSL >>at home, and I never send out emails using my "@earthlink.net" >>address. I always use my personal or business address, neither >>of which are provided by Earthlink. >> >>I'd bet that a large percentage of DSL, Cable and Dial-up >>customers do not use the email account that their ISP provides, >>but they use their ISP's outgoing mail server because they are >>forced to due to port 25 filtering. >> >>Bill >> >> >>-Original Message- >>From: "R. Scott Perry" >>Sent: Sun, 08 Jun 2003 09:36:56 -0400 >>Subject: Re: [Declude.JunkMail] SpamIPs Test Idea >> >> >> >>>Another idea for a new test, a close cousin to the SpamDomains test: >>> >>> >Received: from styggen.com [24.208.153.243] by mx2.spamsoap.com >>> >(SMTPD32-7.15) id A288E80090; Fri, 06 Jun 2003 10:42:32 -0700 >>> >>>This message came from a road runner IP. How about a test where we build >>>a list of CIDRs for a given ISP, then match it with all the domains those >>>IPs use. In this case, the file entry would be (I know rr doesn't use .net) >>> >>>24.208.0.0/14rr.com rr.net >>> >>>In this case, it would match the IP, look for both RR entries, find >>>styggen.com and fail the message. >> >>That's a pretty neat idea. That would work well for ISPs that don't allow >>their customers to run a mailserver, as it would provide an easy way to >>catch (most) mail from spammers on their networks, while allowing the >>legitimate E-mail through. >> >>-Scott >>--- >>Declude JunkMail: The advanced anti-spam solution for IMail mailservers. >>Declude Virus: Catches known viruses and is the leader in mailserver >>vulnerability detection. >>Find out what you have been missing: Ask for a free 30-day >>evaluation. >> >>--- >>[This E-mail was scanned for viruses by Declude Virus >>(http://www.declude.com)] >> >>--- >>This E-mail came from the Declude.JunkMail mailing list. To >>unsubscribe, just send an E-mail to [EMAIL PROTECTED], and >>type "unsubscribe Declude.JunkMail". The archives can be found >>at http://www.mail-archive.com. >> >> >> >>--- >>[This E-mail was scanned for viruses b
Re: [Declude.JunkMail] SpamIPs Test Idea
Looking back at my original posting, I showed RNDS, then said "all the domains those IPs use". The intent is to ignore MAILFROM (which Spam Domains already checks) and compare only IP with RDNS. Scott, Would that still be effective? Yes, I think the test would work with comparing to HELO/EHLO (but not for the return address). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] SpamIPs Test Idea
Ahh, I get it. But it would have to compare the REMOTEIP to the HELO string, not to the REVDNS. Because "styggen.com" in the header below indicates the HELO string sent by the remote mail server, rather than the REVDNS value. > Received: from styggen.com [24.208.153.243] by mx2.spamsoap.com It would be difficult to maintain an accurate list of ISP CIDRs though. So what about a variation of this idea where the test would force REVDNS and HELO strings to contain a partial match. For example, an entry like this... .rr.com .rr.net ...would required a REVDNS that contains ".rr.com", to use a HELO string containing either ".rr.com" or ".rr.net". Or perhaps the other way around. Bill -Original Message- From: Dan Patnode Sent: 08 Jun 2003 12:47:11 -0700 Subject: Re: [Declude.JunkMail] SpamIPs Test Idea Thanks for the question Bill, Looking back at my original posting, I showed RNDS, then said "all the domains those IPs use". The intent is to ignore MAILFROM (which Spam Domains already checks) and compare only IP with RDNS. Scott, Would that still be effective? Dan On Sunday, June 8, 2003 11:49, Bill B. <[EMAIL PROTECTED]> wrote: >I'm not sure that I agree with this test. I use Earthlink DSL >at home, and I never send out emails using my "@earthlink.net" >address. I always use my personal or business address, neither >of which are provided by Earthlink. > >I'd bet that a large percentage of DSL, Cable and Dial-up >customers do not use the email account that their ISP provides, >but they use their ISP's outgoing mail server because they are >forced to due to port 25 filtering. > >Bill > > >-Original Message- >From: "R. Scott Perry" >Sent: Sun, 08 Jun 2003 09:36:56 -0400 >Subject: Re: [Declude.JunkMail] SpamIPs Test Idea > > > >>Another idea for a new test, a close cousin to the SpamDomains test: >> >> >Received: from styggen.com [24.208.153.243] by mx2.spamsoap.com >> >(SMTPD32-7.15) id A288E80090; Fri, 06 Jun 2003 10:42:32 -0700 >> >>This message came from a road runner IP. How about a test where we build >>a list of CIDRs for a given ISP, then match it with all the domains those >>IPs use. In this case, the file entry would be (I know rr doesn't use .net) >> >>24.208.0.0/14rr.com rr.net >> >>In this case, it would match the IP, look for both RR entries, find >>styggen.com and fail the message. > >That's a pretty neat idea. That would work well for ISPs that don't allow >their customers to run a mailserver, as it would provide an easy way to >catch (most) mail from spammers on their networks, while allowing the >legitimate E-mail through. > >-Scott >--- >Declude JunkMail: The advanced anti-spam solution for IMail mailservers. >Declude Virus: Catches known viruses and is the leader in mailserver >vulnerability detection. >Find out what you have been missing: Ask for a free 30-day >evaluation. > >--- >[This E-mail was scanned for viruses by Declude Virus >(http://www.declude.com)] > >--- >This E-mail came from the Declude.JunkMail mailing list. To >unsubscribe, just send an E-mail to [EMAIL PROTECTED], and >type "unsubscribe Declude.JunkMail". The archives can be found >at http://www.mail-archive.com. > > > >--- >[This E-mail was scanned for viruses by Declude Virus >(http://www.declude.com)] > >--- >This E-mail came from the Declude.JunkMail mailing list. To >unsubscribe, just send an E-mail to [EMAIL PROTECTED], and >type "unsubscribe Declude.JunkMail". The archives can be found >at http://www.mail-archive.com. > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] SpamIPs Test Idea
Thanks for the question Bill, Looking back at my original posting, I showed RNDS, then said "all the domains those IPs use". The intent is to ignore MAILFROM (which Spam Domains already checks) and compare only IP with RDNS. Scott, Would that still be effective? Dan On Sunday, June 8, 2003 11:49, Bill B. <[EMAIL PROTECTED]> wrote: >I'm not sure that I agree with this test. I use Earthlink DSL >at home, and I never send out emails using my "@earthlink.net" >address. I always use my personal or business address, neither >of which are provided by Earthlink. > >I'd bet that a large percentage of DSL, Cable and Dial-up >customers do not use the email account that their ISP provides, >but they use their ISP's outgoing mail server because they are >forced to due to port 25 filtering. > >Bill > > >-Original Message- >From: "R. Scott Perry" >Sent: Sun, 08 Jun 2003 09:36:56 -0400 >Subject: Re: [Declude.JunkMail] SpamIPs Test Idea > > > >>Another idea for a new test, a close cousin to the SpamDomains test: >> >> >Received: from styggen.com [24.208.153.243] by mx2.spamsoap.com >> >(SMTPD32-7.15) id A288E80090; Fri, 06 Jun 2003 10:42:32 -0700 >> >>This message came from a road runner IP. How about a test where we build >>a list of CIDRs for a given ISP, then match it with all the domains those >>IPs use. In this case, the file entry would be (I know rr doesn't use .net) >> >>24.208.0.0/14rr.com rr.net >> >>In this case, it would match the IP, look for both RR entries, find >>styggen.com and fail the message. > >That's a pretty neat idea. That would work well for ISPs that don't allow >their customers to run a mailserver, as it would provide an easy way to >catch (most) mail from spammers on their networks, while allowing the >legitimate E-mail through. > >-Scott >--- >Declude JunkMail: The advanced anti-spam solution for IMail mailservers. >Declude Virus: Catches known viruses and is the leader in mailserver >vulnerability detection. >Find out what you have been missing: Ask for a free 30-day >evaluation. > >--- >[This E-mail was scanned for viruses by Declude Virus >(http://www.declude.com)] > >--- >This E-mail came from the Declude.JunkMail mailing list. To >unsubscribe, just send an E-mail to [EMAIL PROTECTED], and >type "unsubscribe Declude.JunkMail". The archives can be found >at http://www.mail-archive.com. > > > >--- >[This E-mail was scanned for viruses by Declude Virus >(http://www.declude.com)] > >--- >This E-mail came from the Declude.JunkMail mailing list. To >unsubscribe, just send an E-mail to [EMAIL PROTECTED], and >type "unsubscribe Declude.JunkMail". The archives can be found >at http://www.mail-archive.com. > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] SpamIPs Test Idea
Bill, Thats a good thing to keep in mind, however it wouldn't compare IP to MAILFROM, it would compare only IP to RDNS. It would only check for forged RNDS, not carring if you use @webmail.us. Here's an example from Road Runner: 24.88.0.13ae88-0-013.sc.rr.com Someone on this IP sending with their own domain (or even from their own email server), will still pass: 24.88.0.0/16 rr.com Dan On Sunday, June 8, 2003 11:49, Bill B. <[EMAIL PROTECTED]> wrote: >I'm not sure that I agree with this test. I use Earthlink DSL >at home, and I never send out emails using my "@earthlink.net" >address. I always use my personal or business address, neither >of which are provided by Earthlink. > >I'd bet that a large percentage of DSL, Cable and Dial-up >customers do not use the email account that their ISP provides, >but they use their ISP's outgoing mail server because they are >forced to due to port 25 filtering. > >Bill > > >-Original Message- >From: "R. Scott Perry" >Sent: Sun, 08 Jun 2003 09:36:56 -0400 >Subject: Re: [Declude.JunkMail] SpamIPs Test Idea > > > >>Another idea for a new test, a close cousin to the SpamDomains test: >> >> >Received: from styggen.com [24.208.153.243] by mx2.spamsoap.com >> >(SMTPD32-7.15) id A288E80090; Fri, 06 Jun 2003 10:42:32 -0700 >> >>This message came from a road runner IP. How about a test where we build >>a list of CIDRs for a given ISP, then match it with all the domains those >>IPs use. In this case, the file entry would be (I know rr doesn't use .net) >> >>24.208.0.0/14rr.com rr.net >> >>In this case, it would match the IP, look for both RR entries, find >>styggen.com and fail the message. > >That's a pretty neat idea. That would work well for ISPs that don't allow >their customers to run a mailserver, as it would provide an easy way to >catch (most) mail from spammers on their networks, while allowing the >legitimate E-mail through. > >-Scott >--- >Declude JunkMail: The advanced anti-spam solution for IMail mailservers. >Declude Virus: Catches known viruses and is the leader in mailserver >vulnerability detection. >Find out what you have been missing: Ask for a free 30-day >evaluation. > >--- >[This E-mail was scanned for viruses by Declude Virus >(http://www.declude.com)] > >--- >This E-mail came from the Declude.JunkMail mailing list. To >unsubscribe, just send an E-mail to [EMAIL PROTECTED], and >type "unsubscribe Declude.JunkMail". The archives can be found >at http://www.mail-archive.com. > > > >--- >[This E-mail was scanned for viruses by Declude Virus >(http://www.declude.com)] > >--- >This E-mail came from the Declude.JunkMail mailing list. To >unsubscribe, just send an E-mail to [EMAIL PROTECTED], and >type "unsubscribe Declude.JunkMail". The archives can be found >at http://www.mail-archive.com. > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] SpamIPs Test Idea
I'm not sure that I agree with this test. I use Earthlink DSL at home, and I never send out emails using my "@earthlink.net" address. I always use my personal or business address, neither of which are provided by Earthlink. I'd bet that a large percentage of DSL, Cable and Dial-up customers do not use the email account that their ISP provides, but they use their ISP's outgoing mail server because they are forced to due to port 25 filtering. Bill -Original Message- From: "R. Scott Perry" Sent: Sun, 08 Jun 2003 09:36:56 -0400 Subject: Re: [Declude.JunkMail] SpamIPs Test Idea >Another idea for a new test, a close cousin to the SpamDomains test: > > >Received: from styggen.com [24.208.153.243] by mx2.spamsoap.com > >(SMTPD32-7.15) id A288E80090; Fri, 06 Jun 2003 10:42:32 -0700 > >This message came from a road runner IP. How about a test where we build >a list of CIDRs for a given ISP, then match it with all the domains those >IPs use. In this case, the file entry would be (I know rr doesn't use .net) > >24.208.0.0/14rr.com rr.net > >In this case, it would match the IP, look for both RR entries, find >styggen.com and fail the message. That's a pretty neat idea. That would work well for ISPs that don't allow their customers to run a mailserver, as it would provide an easy way to catch (most) mail from spammers on their networks, while allowing the legitimate E-mail through. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] SpamIPs Test Idea
Another idea for a new test, a close cousin to the SpamDomains test: >Received: from styggen.com [24.208.153.243] by mx2.spamsoap.com >(SMTPD32-7.15) id A288E80090; Fri, 06 Jun 2003 10:42:32 -0700 This message came from a road runner IP. How about a test where we build a list of CIDRs for a given ISP, then match it with all the domains those IPs use. In this case, the file entry would be (I know rr doesn't use .net) 24.208.0.0/14rr.com rr.net In this case, it would match the IP, look for both RR entries, find styggen.com and fail the message. That's a pretty neat idea. That would work well for ISPs that don't allow their customers to run a mailserver, as it would provide an easy way to catch (most) mail from spammers on their networks, while allowing the legitimate E-mail through. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.