[Declude.JunkMail] Using RHSBL's for reverse DNS entries
Scott, I've been thinking about this for a while as a way to increase spam detection and do things that are otherwise more difficult to do, and then the other day I found that MailPolice was actually promoting their RHSBL's for use on both the Mail From and the reverse DNS entry, and now they have a zone that is built to detect DUL users using reverse DNS entries. I think that both additions would be very useful for spam blocking. Here's their current list of zones: bulk.rhs.mailpolice.com - domains used to send or host spam/bulk-sender/unconfirmed mailing lists/advertising sites porn.rhs.mailpolice.com - domains used to send or host pornographic sites block.rhs.mailpolice.com - combined porn.rhs.mailpolice.com and bulk.rhs.mailpolice.com dynamic.rhs.mailpolice.com - dynamic PPP/DSL/cable reverse DNS hostnames, useful for stopping spam from broadband proxies fraud.rhs.mailpolice.com - domains and IPs hosting fraudulant content, aka "phishing" I've found that there are many foreign providers that aren't listed in the free DUL/DHUL/DYNA lists, but it is often easy to identify their naming conventions with senderbase.org and add them to a DUL filter. It seems though that MailPolice has already done much of this work for us. Also of note is that fact that many spammers, while they change the Mail From from campaign to campaign, tend to not change their reverse DNS entries as often, and this would again lead to better/earlier detection of static spammers that attempt to obfuscate. Is there any shot of you enabling a different type of test built to do RHS lookups from the reverse DNS value? Thanks, Matt -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =
Re: [Declude.JunkMail] Using RHSBL's for reverse DNS entries
At 03:38 PM 5/13/2004, Matt wrote: Scott, I've been thinking about this for a while as a way to increase spam detection and do things that are otherwise more difficult to do, and then the other day I found that MailPolice was actually promoting their RHSBL's for use on both the Mail From and the reverse DNS entry, and now they have a zone that is built to detect DUL users using reverse DNS entries. I think that both additions would be very useful for spam blocking. Here's their current list of zones: bulk.rhs.mailpolice.com - domains used to send or host spam/bulk-sender/unconfirmed mailing lists/advertising sites porn.rhs.mailpolice.com - domains used to send or host pornographic sites block.rhs.mailpolice.com - combined porn.rhs.mailpolice.com and bulk.rhs.mailpolice.com dynamic.rhs.mailpolice.com - dynamic PPP/DSL/cable reverse DNS hostnames, useful for stopping spam from broadband proxies fraud.rhs.mailpolice.com - domains and IPs hosting fraudulant content, aka phishing Maybe I'm missing something obvious here, but I've been using this for sometime now... MAILPOLICE-BULK rhsbl bulk.rhs.mailpolice.com 127.0.0.2 7 0 MAILPOLICE-PORN rhsbl porn.rhs.mailpolice.com 127.0.0.2 10 0 Is this different from what you're trying to do? -Russ --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Using RHSBL's for reverse DNS entries
Is there any shot of you enabling a different type of test built to do RHS lookups from the reverse DNS value? Actually, you can use something like: BULK-REVDNS dnsbl %REVDNS%.bulk.rhs.mailpolice.com* x 0 -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Using RHSBL's for reverse DNS entries
Currently, to the best of my knowledge, 'rhsbl' tests in Declude only work on the Mail From and not the reverse DNS value. I'm interested in the reverse DNS value to be added. BTW, there are a couple of additional tests that MailPolice added at the end of April that weren't on that list: adv.rhs.mailpolice.com (http://rhs.mailpolice.com/index.php#rhsadv) Domains used by e-mail marketers. This includes legitimate opt-in subscription mailing lists and newsletters. This list should never be used to block e-mail in site-wide configurations! It will surely block legitimate and important e-mail that users have opted-in to receive. This should only be used by user-configurable filters, or possibly as a white-list for people who wish to receive solicited advertising. webmail.rhs.mailpolice.com (http://rhs.mailpolice.com/changes.php) For listing webmail providers (Matt's note: this could be useful in a combination filter). Matt Russ Uhte (Lists) wrote: At 03:38 PM 5/13/2004, Matt wrote: Scott, I've been thinking about this for a while as a way to increase spam detection and do things that are otherwise more difficult to do, and then the other day I found that MailPolice was actually promoting their RHSBL's for use on both the Mail From and the reverse DNS entry, and now they have a zone that is built to detect DUL users using reverse DNS entries. I think that both additions would be very useful for spam blocking. Here's their current list of zones: bulk.rhs.mailpolice.com - domains used to send or host spam/bulk-sender/unconfirmed mailing lists/advertising sites porn.rhs.mailpolice.com - domains used to send or host pornographic sites block.rhs.mailpolice.com - combined porn.rhs.mailpolice.com and bulk.rhs.mailpolice.com dynamic.rhs.mailpolice.com - dynamic PPP/DSL/cable reverse DNS hostnames, useful for stopping spam from broadband proxies fraud.rhs.mailpolice.com - domains and IPs hosting fraudulant content, aka "phishing" Maybe I'm missing something obvious here, but I've been using this for sometime now... MAILPOLICE-BULK rhsbl bulk.rhs.mailpolice.com 127.0.0.2 7 0 MAILPOLICE-PORN rhsbl porn.rhs.mailpolice.com 127.0.0.2 10 0 Is this different from what you're trying to do? -Russ --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =
Re: [Declude.JunkMail] Using RHSBL's for reverse DNS entries
On 13 May 2004 at 16:57, R. Scott Perry wrote: Scott, For the test type below you have dnsbl ; I have only been using rhsbl and ip4r - are these just names to flag the type of test in global.cfg or are different actions taken on each? [Hope I am somewhat clear on this..] -Nick Hayer Is there any shot of you enabling a different type of test built to do RHS lookups from the reverse DNS value? Actually, you can use something like: BULK-REVDNS dnsbl %REVDNS%.bulk.rhs.mailpolice.com* x 0 -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Using RHSBL's for reverse DNS entries
At 04:01 PM 5/13/2004, Matt wrote: Currently, to the best of my knowledge, 'rhsbl' tests in Declude only work on the Mail From and not the reverse DNS value. I'm interested in the reverse DNS value to be added. Aha... I figured it was something obvious... -Russ --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Using RHSBL's for reverse DNS entries
That would be awesome if it really does work. I'll give it a try this evening! Am I also to assume that this will work with the %HELO% as well? That would rock :) Just a note of caution to others, if you use MailPolice Bulk on the Mail From, and you try this technique, you probably don't want to be scoring a double hit, instead a combo filter using TESTSFAILED to assess one value for either failure would be the best, i.e. - MailPolice.txt - TESTSFAILED 0 CONTAINS MAILPOLICE-BULK TESTSFAILED 0 CONTAINS MAILPOLICE-BULK-REVDNS ...and then give it one score in the Global.cfg. Thanks, Matt R. Scott Perry wrote: Is there any shot of you enabling a different type of test built to do RHS lookups from the reverse DNS value? Actually, you can use something like: BULK-REVDNS dnsbl %REVDNS%.bulk.rhs.mailpolice.com * x 0 -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Using RHSBL's for reverse DNS entries
For the test type below you have dnsbl ; I have only been using rhsbl and ip4r - are these just names to flag the type of test in global.cfg or are different actions taken on each? [Hope I am somewhat clear on this..] That is correct. ip4r will take the IP address that the E-mail came from, reverse it, and add it to the zone that you supply. So an E-mail coming from 192.0.2.25 using the zone bl.example.net would use 25.2.0.192.bl.example.net. rhsbl will take the domain in the return address and add it to the zone that you supply. So an E-mail coming from [EMAIL PROTECTED] using the zone bl.example.net would use example.com.bl.spamcop.net. dnsbl will just use the zone that you supply. So if you use %REVDNS%.bl.example.net, an E-mail coming from the IP 192.0.2.25 that has a reverse DNS entry of mail.example.com would use the zone mail.example.com.bl.spamcop.net. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Using RHSBL's for reverse DNS entries
Scott, I think that beats the 8 minute feature request :) Thanks again, Matt R. Scott Perry wrote: For the test type below you have dnsbl ; I have only been using rhsbl and ip4r - are these just names to flag the type of test in global.cfg or are different actions taken on each? [Hope I am somewhat clear on this..] That is correct. ip4r will take the IP address that the E-mail came from, reverse it, and add it to the zone that you supply. So an E-mail coming from 192.0.2.25 using the zone bl.example.net would use 25.2.0.192.bl.example.net. rhsbl will take the domain in the return address and add it to the zone that you supply. So an E-mail coming from [EMAIL PROTECTED] using the zone bl.example.net would use example.com.bl.spamcop.net. dnsbl will just use the zone that you supply. So if you use %REVDNS%.bl.example.net, an E-mail coming from the IP 192.0.2.25 that has a reverse DNS entry of mail.example.com would use the zone mail.example.com.bl.spamcop.net. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Using RHSBL's for reverse DNS entries
On 13 May 2004 at 17:16, R. Scott Perry wrote: kool - thanks! -Nick For the test type below you have dnsbl ; I have only been using rhsbl and ip4r - are these just names to flag the type of test in global.cfg or are different actions taken on each? [Hope I am somewhat clear on this..] That is correct. ip4r will take the IP address that the E-mail came from, reverse it, and add it to the zone that you supply. So an E-mail coming from 192.0.2.25 using the zone bl.example.net would use 25.2.0.192.bl.example.net. rhsbl will take the domain in the return address and add it to the zone that you supply. So an E-mail coming from [EMAIL PROTECTED] using the zone bl.example.net would use example.com.bl.spamcop.net. dnsbl will just use the zone that you supply. So if you use %REVDNS%.bl.example.net, an E-mail coming from the IP 192.0.2.25 that has a reverse DNS entry of mail.example.com would use the zone mail.example.com.bl.spamcop.net. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Using RHSBL's for reverse DNS entries
So in the global we'd have: First the actual tests with no value for failure MAILPOLICE-BULK-REVDNS dnsbl %REVDNS%.bulkk.rhs.mailpolice.com * 0 0 MAILPOLICE, etc. Then the Filter (Using the example construct below) with a weight MAILPOLICE filter X:\imail\declude\MailPolice.txt x 10 0 Is that correct? Thanks, Thursday, May 13, 2004, 4:17:58 PM, Matt [EMAIL PROTECTED] wrote: M That would be awesome if it really does work. I'll give it a try this M evening! Am I also to assume that this will work with the %HELO% as M well? That would rock :) M Just a note of caution to others, if you use MailPolice Bulk on the Mail M From, and you try this technique, you probably don't want to be scoring M a double hit, instead a combo filter using TESTSFAILED to assess one M value for either failure would be the best, i.e. M - MailPolice.txt - M TESTSFAILED 0 CONTAINS MAILPOLICE-BULK M TESTSFAILED 0 CONTAINS MAILPOLICE-BULK-REVDNS M ...and then give it one score in the Global.cfg. M Thanks, M Matt M R. Scott Perry wrote: Is there any shot of you enabling a different type of test built to do RHS lookups from the reverse DNS value? Actually, you can use something like: BULK-REVDNS dnsbl %REVDNS%.bulk.rhs.mailpolice.com * x 0 -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. Don Brown - Dallas, Texas USA Internet Concepts, Inc. [EMAIL PROTECTED] http://www.inetconcepts.net (972) 788-2364Fax: (972) 788-5049 --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Using RHSBL's for reverse DNS entries
That would be awesome if it really does work. I'll give it a try this evening! Am I also to assume that this will work with the %HELO% as well? That would rock :) Yes, it will also work with %HELO%. :) You can also use %MAILFROMBL%, which turns [EMAIL PROTECTED] into user.example.com, for spam databases that work on the full E-mail address rather than just the domain. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Using RHSBL's for reverse DNS entries
R. Scott Perry wrote: You can also use %MAILFROMBL%, which turns [EMAIL PROTECTED] into user.example.com, for spam databases that work on the full E-mail address rather than just the domain. You know Scott, that was on my list of things to ask for but I was holding back :) What a bunch of nice surprises. This will all keep me busy for a while to come. Thanks, Matt -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Using RHSBL's for reverse DNS entries
- Original Message - From: R. Scott Perry [EMAIL PROTECTED] That would be awesome if it really does work. I'll give it a try this evening! Am I also to assume that this will work with the %HELO% as well? That would rock :) Yes, it will also work with %HELO%. :) You can also use %MAILFROMBL%, which turns [EMAIL PROTECTED] into user.example.com, for spam databases that work on the full E-mail address rather than just the domain. Scott, are there any such lists that use the full e-mail address that you know of? These are some nice additional features. Thanks, Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Using RHSBL's for reverse DNS entries
You can also use %MAILFROMBL%, which turns [EMAIL PROTECTED] into user.example.com, for spam databases that work on the full E-mail address rather than just the domain. Scott, are there any such lists that use the full e-mail address that you know of? These are some nice additional features. I'm not aware of any right now. I know some people had talked about possibly creating some, but I don't think anyone has done so yet (or at least not with a public spam database). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
