If you're asking for a fool proof way to add a lot of points for randomized TLD's, then I don't think it can be done reliably with a lot of weight. You have to hit this from every end possible, and this is where custom filters come in. I can't think of current functionality that would allow for something more accurate though that could manage three pieces of data in the way that you are looking for.
I don't think that's a total loss though. DYNAMIC, FOREIGN, TLD-EASTERNEUROPEAN, TLD-MIDDLEEASTERN would all hit this just based on 3 pieces of information that I can see here. On my system, that would be 90% of my hold weight, which isn't bad for just the HELO, MAILFROM and REVDNS. I'm not sure that you would want to add more points than that though because it's quite possible for all three things to have different TLD's, though less common that they are three different gTLD's. I separated out the TLD filters by region so that I could pick up on this stuff. You could potentially split them into 250 or so different files which would allow for you to catch all three :) Not very realistic though. I'm sure that functionality will be improved over time that will allow for a more exact test without the kludge of filters, but we've made a ton of progress in this department if you ask me.
Maybe there are some other custom filters that could help with spammy body content or other things involving the headers. Most of the stuff that randomizes like this is from a zombie, and there's always something else going on there. Post the full message and let's tear it apart :)
Matt
Kami Razvan wrote:
Hi;
There has to be a way to identify this without much overhead..
==================================================================
X-Note: Spam Score: 26 [BLOCKED ON 20+ & DELETED ON 60+]
X-Note: Scan Time: 13:21:32 on 01/07/2004
X-Note: Spool File: D4e220fc7018c094f.SMD
X-Note: Server Name: skrzynka.pl
X-Note: SMTP Sender: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>
X-Note: Reverse DNS & IP: cbl62-0-175-24.bb.netvision.net.il [62.0.175.24]
X-Note: Recipient(s): *************
X-Note: Country Chain: ISRAEL->destination
X-Note: ==================================================================
X-Note: This E-mail was scanned & filtered by Declude [1.77i12] for SPAM & virus.
this is borderline (weight 26) - this email has not failed a single IP4R test.
Reverse dns is IL, email ends with .ch and the HELO is .pl
What are the chances for this? How can a legal email have so much existential crisis?
Matt's TLD test gives this weight but there has to be a faster test to pick this up..
Regards,
Kami
--- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
