I think you have a very good idea, in fact, all negative weight tests should probably be limited to just the last hop since they are typically designed to only apply to the last hop.
It might be a good idea for Scott to limit BONDEDSENDER to the last hop by default, and maybe give us another prefix/suffix to use for this purpose instead of DYNA or DUL since that might not be easily understood by some.
Matt
Colbeck, Andrew wrote:
Check out these received lines:
Received: from h24-87-101-24.vs.shawcable.net [24.87.101.24] by mail.bentall.com (SMTPD32-8.02) id A3A4A8B007C; Thu, 04 Dec 2003 22:20:20 -0800 Received: from ebay.com (lore.ebay.com [66.135.195.181]) by h24-87-101-24.vs.shawcable.net (Postfix) with ESMTP id 5CE7E8F5E3 for <snip>; Fri, 05 Dec 2003 00:20:20 -0600 Date: Fri, 05 Dec 2003 00:20:20 -0600 From: "Snapper S. Perseid" <[EMAIL PROTECTED]> X-Mailer: The Bat! (v2.00.7) Personal X-Priority: 3 Message-ID: <[EMAIL PROTECTED]> To: snip <snip> Subject: [Msg Track# snip] Your billing profile on ebay.com MIME-Version: 1.0 Content-Type: text/html Content-Transfer-Encoding: 7bit
The Shaw Cable address is for a home user and e-mail directly from it would be suspect. In fact, it is heavily listed in static and dynamic ip4r databases, spamdomains, etc. and that would put it well over my hold weight.
The line with lore.ebay.com is entirely fake, but the address for lore.ebay.com is correct, and BONDEDSENDER had a high enough negative weight that this phishing spam got through. So, I'm thinking of renaming my test to BONDEDSENDER-DYNA so that Declude will only check the bondedsender ip4r test against the first hop.
Does anybody see a problem with doing that?
Andrew 8)
--- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
