Thanks for the tip. I'll probably search some of my spam files for hits before adding this just to make sure it doesn't interfere with anything and in order to see how common it is. I don't think adding extra lines to something that only searches reverse DNS is that demanding on resources.
I started the numbers above 30 just to protect from the possibility of some networks using numbering for servers instead of just for IP's. I can't say that I have an example that would have hit on the filter, but I have seen lots and lots of numbered servers and it's bound to happen, and I didn't figure the filter would miss anything that was truly an IP and expressed in this standard fashion.
Regarding the zero padding issue, I figure that the filter still has a very good shot of hitting one of the 4 numbers, and in your example, it would still hit the -168-. So if there are any numbers over 100 and zero padded, it should still hit except maybe if they are on either end. It would take a lot of lines in the filter to overcome this, probably another 150 or so, and zero padding is somewhat rare. You are of course welcome to add whatever you feel is necessary to improve the filter from your standpoint.
The biggest offenders that this filter is looking to tag are residential DSL subscribers, and a search of my logs for positive hits shows a huge disparity in the amount of spam sent from residential class service over business class service. Case in point, biz.rr.com sent a total of 6 out of 1,053 spams, all of which were machines with open relays/proxies that were well known, while regular rr.com sent 96 out of 1,053 spams, many of which were on none of the open relay/proxy lists. I'm assuming that this is because there isn't a high degree of spam sent from statically assigned business IP addresses in use for servers by real customers unless the server has been taken over, and many of the lists quickly figure that out, but people are actually in many cases, just simply spamming from home. I'm looking to exclude the business networks because of this, and because they represent almost all of the FP's that the test scores. Unfortunately some can't be effectively identified, and that's why I score it at 30% of my fail weight. There are also some instances where smaller businesses are running software at home to send out bulk mail that wouldn't be considered spam.
Matt
Charles Frolick wrote:
You might want to add underscores, I use underscores as my seperator, and I doubt I am the only ISP to do so. Also, why did you start the list at 30? I know that it I very unlikely for a residential IP to be all numbers under 30, but why 30? And finally, what about those that pad with zero's? i.e. 192-168-054-003.dynamic.isp.tld.
Thanks, Chuck Frolick ArgoNet, Inc.
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matthew Bramble Sent: Wednesday, September 17, 2003 8:25 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] DYNAMIC - 09/17/2003 - A new filter to detect IP'd reverse DNS entries IP'd reverse DNS entries
Actually, you don't get scored with this filter. You would need to have dashes or dots on both sides of a number. Even if you did, you would have a real tough time scoring anything over 1 coming to my machine. Your mileage may vary of course.
Also, I can't see why it would be even workable to tag frame or T-1's with an IP address in the reverse. Too many such clients use full class C's and the practice of using numbered naming conventions in dial-up because they're fixed and easy to identify (i.e. they don't have to assign new names upon request). The only thing that might match your IP in that reverse entry is the 88, not the 224, that's probably reference to a customer number or region so they can look you up in a database i'm guessing.
Matt
--- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
