> X-Declude-Sender: [EMAIL PROTECTED]
> X-Declude-Sender: [EMAIL PROTECTED]
>
> Is there anyway to block on these extensions (de,ch)? I don't see any
> valid email coming from domains with these extensions.
Karl,
I'm pretty sure that the owner of this two sender addresses has absolutely nothing to
do with this spam. As a victim of a joe job I've received hundreds of non delivery
reports back to our @zcom.it domain in the last two weeks.
As I can see from the NDR's the message content has had something to do with "y_oung
r_ussian g_uys" but the indicated mailfrom address was "[EMAIL PROTECTED]"
Smtp-envelope-sender and Mailfrom are easily forgeable and you should not punish any
country only because the mailfrom tld point to it.
If you're interested to block or give some points for certain countries because you
receive a lot of spam from there I can provide you my reports regarding Decludes
Country-Chain filter:
>From 7880 hold spam messages that was delivered to our server in Italy they was sent
>from or delivered trough
3411 UNITED STATES
1177 [IANA Reserved]
950 CHINA
690 ITALY
481 [Unknown]
418 KOREA-KR
344 CANADA
327 BRAZIL
266 GERMANY
218 [ARIN Unlisted]
198 UNITED KINGDOM
168 [Multicast]
148 FRANCE
141 MEXICO
127 SPAIN
122 JAPAN
99 NETHERLANDS
90 SWEDEN
88 RUSSIAN FEDERATION
86 TAIWAN
81 [RIPE Unlisted]
74 VENEZUELA
61 INDIA
58 POLAND
58 ISRAEL
58 CHILE
58 AUSTRIA
58 AUSTRALIA
56 ARGENTINA
41 HONG KONG
38 SWITZERLAND
35 BELGIUM
33 [APNIC Unlisted]
22 FINLAND
22 DENMARK
22 [Central/South America]
18 TURKEY
18 SLOVENIA
17 NEW ZEALAND
17 HUNGARY
15 THAILAND
14 PHILIPPINES
13 NORWAY
13 MALAYSIA
12 PORTUGAL
12 PERU
12 EGYPT
11 SINGAPORE
11 [Public Data Network]
9 COLOMBIA
7 UNITED ARAB EMIRATES
7 SOUTH AFRICA
7 SAUDI ARABIA
7 IRAN
6 NIGERIA
6 ESTONIA
6 CZECH REPUBLIC
6 BAHRAIN
5 TRINIDAD AND TOBAGO
5 SLOVAKIA
5 PALESTINE
5 PAKISTAN
5 OMAN
5 LUXEMBOURG
5 LATVIA
5 KUWAIT
5 [Multi-Regional]
4 ROMANIA
4 PANAMA
4 MALTA
4 ICELAND
4 GREECE
4 EL SALVADOR
3 IRELAND
3 INDONESIA
3 BOLIVIA
2 UKRAINE
2 TUNISIA
2 MOROCCO
2 LITHUANIA
2 JORDAN
2 ECUADOR
2 DOMINICAN REPUBLIC
2 BARBADOS
2 ALGERIA
1 YUGOSLAVIA
1 VIET NAM
1 URUGUAY
1 TOGO
1 SUDAN
1 SENEGAL
1 PUERTO RICO
1 MAURITIUS
1 LAO
1 KENYA
1 GIBRALTAR
1 GEORGIA
1 CROATIA
1 COTE D'IVOIRE
1 COSTA RICA
1 BULGARIA
1 BAHAMAS
1 AZERBAIJAN
My opinion is, that no single country based data can be used as a reliably spam
indicator. Or are you 100% sure that absolutely none of your mail users will never
ever having nothing to do with someone from Venzuela, China or whatever other country?
What I consider very suspiciuos is if the following data does not correspond:
- smtp-envelope-sender tld
- MAILFROM tld
- first country in COUNTRY CHAIN
- HELO tld
...and maybe also REVDNS tld.
In any case the international used com/net/org/info/biz/coop/name... tld's should be
excluded from this test. Or in other words: Watch all 2-letter tld's.
For sure it would not be a blocking test because in certain cases it could create
false positives but in a weighting system it could give something between 10 and 50%
for your hold weight.
Markus
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
