Thanks, Andrew- That follows the pattern I often use with whitelisting... It reinforces the power of tools we have at our disposal and the care with which we need to use them.
ie: "sex" matches a lot of common place names like middlesex and essex. -d ----- Original Message ----- From: "Colbeck, Andrew" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, April 16, 2004 4:16 AM Subject: RE: [Declude.JunkMail] why does this fail the spam domains test? > Dave, allow me to butt in here with the late night reply and say yes, your > interpretation is exactly right for all 3 of your examples. > > And let me also add that clarity certainly does help, for example I saw a > weird false positive and chuckled over it. > > I had a sd.txt that listed: > > mac.com apple.com > > The false positive occurred when a message from [EMAIL PROTECTED] didn't > have a suitable revdns, and certainly didn't match apple.com either! So now > I have: > > .mac.com apple.com > @mac.com apple.com > > Andrew 8) > > -----Original Message----- > From: Dave Doherty [mailto:[EMAIL PROTECTED] > Sent: Friday, April 16, 2004 12:15 AM > To: [EMAIL PROTECTED] > Subject: Re: [Declude.JunkMail] why does this fail the spam domains test? > > > Hi Matt- > > Thanks for the explanation. Let me feed back to you what I think you said. > > yahoo.com > would require that all possible REVDNS entries contain "yahoo.com" so a > message would pass the test if the REVDNS of its originating IP was > abc.yahoo.com, abcyahoo.com or abc.yahoo.com.hk, but not yahoo.ca > > @yahoo.com yahoo.com > would require that all possible REVDNS entries end in "yahoo.com" so a > message would pass the test if the REVDNS of its originating IP was > abc.yahoo.com or abcyahoo.com, but not abc.yahoo.com.hk, or yahoo.ca > > .yahoo.com yahoo.com > would require that all possible REVDNS entries end in ".yahoo.com" so a > message would pass the test if the REVDNS of its originating IP was > abc.yahoo.com but not abc.yahoo.com.hk or yahoo.ca > > > Is this rght? > > -d > > > > ----- Original Message ----- > From: Matt > To: [EMAIL PROTECTED] > Sent: Friday, April 16, 2004 1:46 AM > Subject: Re: [Declude.JunkMail] why does this fail the spam domains test? > > > Dave, > > It works like two different CONTAINS filters. > > It takes the value in the first column, and if the MAILFROM contains the > string, then it checks both columns against the REVDNS entry to see if > either one matches. Since the first column has an @ symbol in it, that will > never match, and the only possible match would be in the second column as a > REVDNS CONTAINS type of match. > > If you only have one entry per line, then both the MAILFROM and REVDNS will > need to contain that string. > > Using an @ symbol in the first column isn't a requirement, and it's only > appropriate for domains with one possible REVDNS value since the first > column can't match leaving only one string to match on. The reason for > putting it in there is because of some uses of VERP which can include > addresses within the MAILFROM before the @ symbol, especially with domains > like att.net which allow for forwarding. It also prevents matches on > partial domains from occurring, though that would generally be rare. I opt > to use the @ symbol in the first column with I only know of one legit REVDNS > domain, and I leave it off when there are two, and I omit the domain from > the list when there are three or more possible REVDNS matches. > > Hope this helps. > > Matt > > > > > Dave Doherty wrote: > > Scott- > > I think that I may misunderstand SPAMDOMAINS. > > >From the manual: > > This test will catch E-mail that is not coming from a mailserver that it > should be coming from. This test will only work if you set up a file listing > domains that you wish to be included in this test. Specifically, it will > check the return address of the E-mail, and then check to see if the reverse > DNS entry of the IP that the E-mail was sent from contains the domain name. > If not, the E-mail fails the test. For example, if "hotmail.com" is listed > in the \IMail\Declude\spamdomains.txt file, then an E-mail coming from > "law2.hotmail.com" would not fail the test, but an E-mail from > "mail.example.ru" would fail the test. > > Taking the lead from that description, my SPAMDOMAINS file consists of a > simple list of domains, one to a line, like this: > > ebay.com > aol.com > > Yet every example I have seen on this subject the past few days shows two > domains per line like this: > > @juno.com .untd.com > > How is this supposed to work? > > -Dave > > > > > > ----- Original Message ----- > From: "R. Scott Perry" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Thursday, April 15, 2004 4:42 PM > Subject: Re: [Declude.JunkMail] why does this fail the spam domains test? > > > > Can anyone explain why this message would fail the spamdomains test? > > > Here is the spamdomains entry: > > @juno.com .untd.com > > The key here is the reverse DNS entry -- do you have the full headers for > the E-mail? Although the IMail log file shows the IP address, it is > possible that Declude JunkMail may have used a different IP, which would > > be > > reflected in the headers. > > -Scott > --- > Declude JunkMail: The advanced anti-spam solution for IMail mailservers > since 2000. > Declude Virus: Ultra reliable virus detection and the leader in mailserver > vulnerability detection. > Find out what you've been missing: Ask for a free 30-day evaluation. > > --- > [This E-mail was scanned for viruses by Declude Virus > > (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > > > > > > --- > [This E-mail was scanned for viruses by Declude Virus > (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > > > > > > -- > ===================================================== > MailPure custom filters for Declude JunkMail Pro. > http://www.mailpure.com/software/ > ===================================================== > > > --- > [This E-mail was scanned for viruses by Declude Virus > (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
