When I see ISP mail servers listed, it is generally due to one of two things...they either have no controls on someone doing a bulk mailing through their servers, or much more likely, they are forwarding E-mail to an off-server account. I see legit E-mail being tagged by SpamCop and MailPolice all the time because it passed through a server that is used for forwarding such things. AT&T for instance has a set of servers for just this purpose which get tagged all the time. The problem is that people are either using spamtraps that forward this forwarded spam, or they are reporting forwarded messages as spam and the systems consider the AT&T gateway to be the source (a problem with the design). All of the RBL's need to generate lists of large ISP mail servers, especially the gateways, in order to prevent this from happening.
On my own system, I have AT&T's gateway's IPBYPASSed primarily because of this issue, though it also helps a great deal with filtering of the accounts forwarded through them since I am only scanning on the last hop still. The issue of course is that IPBYPASS only allows 20 entries since it was designed only to be used on your own gateways and not a large list of servers from other sources (I hope to see this turned into a separate file sometime). Just to repeat so that someone doesn't make a mistake...Declude only accepts the first IPBYPASSed addresses, after that it will ignore the entries. Here's what I'm using for AT&T currently for instance:
# mtiwgwc11.worldnet.att.net - mtiwgwc18.worldnet.att.net IPBYPASS 204.127.131.121 IPBYPASS 204.127.131.122 IPBYPASS 204.127.131.123 IPBYPASS 204.127.131.124 IPBYPASS 204.127.131.125 IPBYPASS 204.127.131.126 IPBYPASS 204.127.131.127 IPBYPASS 204.127.131.118
I believe some other ISP's have pages listing the servers from which they forward E-mail on. I generated my list though from looking up one known server from SenderBase, and then doing some follow up reverse DNS digging. It's important to make sure that these servers are never an SMTP server for end users to send E-mail from, otherwise you might be hitting the dial-up IP's instead of another mail server. This has been working for me, but in general, this isn't going to be a fix for forwarded E-mail until either IPBYPASS gets expanded, or the RBL's stop listing ISP gateway mail servers.
Matt
John Tolmachoff (Lists) wrote:
Great, SpamCop is listing WebTV.net mail server IP falsely. Looking at the samples, they look legit to me.
Has anyone actually seen spam come from a WebTV.net server?
John Tolmachoff Engineer/Consultant/Owner eServices For You
--- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.