I have a few suggestions that you might want to consider.
The first one would be to skip processing of the message and just have Declude pass off the HELO as an argument to your script. This can be done with %HELO%. This will speed processing and ensure that the HELO comes in the proper context. Declude can be configured for IPBYPASS settings which are used to skip over gateway mail servers and forwarding servers so that you have the HELO of the computer that is actually sending the E-mail.
Combining both of your tests into one program instead of two would also be useful. You can use any code over 10 for this. Declude also will only call the script once if the command is the same, and it will determine which test would be failed based on the result code that is returned.
The last thing that I'm not very clear about is the logic of the detection. I have a custom filter called DYNAMIC listed in the beta section of my site (http://www.mailpure.com/software/decludefilters/beta/) that does something similar for reverse DNS entries. I found from testing and according to the capabilities of the environment that using values below 20, i.e. -20- or .20., would produce false positives similar to the one that Serge just pointed out. It's extremely unlikely that you would miss detecting a zombie using the reverse DNS entry as the HELO if you ignored hits below 20 because there aren't many ISP class A's in use below that level (I think just IBM), an you have 4 chances to hit a number above 20.
The pattern that you identified is of course a very nice addition to spam fighting. Thanks!
Matt
Bud Durland wrote:
Bud Durland wrote:
I am testing a small external test program. A message fails the test if there is an discernable IP address in the HELO entry of the message.
The new test is available for download from http://bud.thedurlands.com.
-- ===================================================== MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =====================================================
--- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
