I have a few suggestions that you might want to consider.
The first one would be to skip processing of the message and just have Declude pass off the HELO as an argument to your script. This can be done with %HELO%. This will speed processing and ensure that the HELO comes in the proper context. Declude can be configured for IPBYPASS settings which are used to skip over gateway mail servers and forwarding servers so that you have the HELO of the computer that is actually sending the E-mail.
That's a great idea! Not sure why I didn't think of that in the initial implementation
Combining both of your tests into one program instead of two would also be useful. You can use any code over 10 for this. Declude also will only call the script once if the command is the same, and it will determine which test would be failed based on the result code that is returned.
For a non-zero test, I thought any non-zero result evaluates the same. I have considered configuring it to take a parameter to determine if the "X" test should be used.
The last thing that I'm not very clear about is the logic of the detection.
Fairly straight forward: for HELOISIP, convert dashes ("-") to dots ".", strip out anything that's not a number or a dot, see if there's 4 octets of numbers <= 255. I'm not sure why Serge's example failed, I'll test later today. It is possible that there would be a FP from a host name like "host11.rack2.location3.bldg4.example.com". His example ("alias-1.c10-ave-mta1.cnet.com") should have become "1.10.1", and not failed the test -- only 3 numbers.
The HELOISIPX test only does the last step -- no tinkering with the content first.
I have a custom filter called DYNAMIC listed in the beta section of my site
Unfortunately, I don't have JM pro, so...
It's extremely unlikely that you would miss detecting a zombie using the reverse DNS entry as the HELO if you ignored hits below 20 because there aren't many ISP class A's in use below that level (I think just IBM), an you have 4 chances to hit a number above 20.
You're right, although AT&T is in there as well, and they have a few internet customers, I think.
The pattern that you identified is of course a very nice addition to spam fighting. Thanks!
We all try to do our part; thanks for the kind words and good suggestions!
-- ------------------------------------------------------------------- illigitimi non carborundum ------------------------------------------------------------------- Bud Durland, CNE Mold-Rite Plastics Network Administrator http://www.mrpcap.com -------------------------------------------------------------------
--- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
