Gotcha... just after I mentioned it I saw a couple of industry newsletters that had an IP address for HELO. They're obviously poor mailers, but our customers want to see them, so we must oblige. Ahhhh, to be able to be stricter... wouldn't that be the life...<grin>.
Darin. ----- Original Message ----- From: "Kevin Bilbee" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, September 20, 2004 6:36 PM Subject: RE: [Declude.JunkMail] Idea Agreed I would never delete on the one test, (except my personal black list), I would weight the email. A reverse DNS endty should never return an ip address. If the HELO is an ip it should should be in the form of [a.b.c.d] from my understanding. But if I reverse a.b.c.d I should not get a.b.c.d I should get host.example.com. If they do not want ot follow standards that is fine but I am going to add weight to their email. that is why I run Declude to weight emails that do not wollow standards. I host coorporate email for my promary company and a few sister companies so I have the ability to be a little stricter and if I do get a false positive I work with the customer/ISP of our customer to fix what is broken/non-standard. Kevin Bilbee > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Darin Cox > Sent: Monday, September 20, 2004 3:20 PM > To: [EMAIL PROTECTED] > Subject: Re: [Declude.JunkMail] Idea > > > We've seen some legitimate mailers with an IP for the HELO, which matches > the reverse DNS. I certainly wouldn't recommend holding, much less > deleting, on any one test. > > Darin. > > > ----- Original Message ----- > From: "Kevin Bilbee" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Monday, September 20, 2004 5:41 PM > Subject: RE: [Declude.JunkMail] Idea > > > 99.9% is good enough and better than most RBLs especially in a weighted > system. I have modified my code and am going to test for a few days using > the ROUTETO action to inspect te emails for false positives. > > If I find the test acceptable I will post a new version of > contains IP with > documentation. > > > Thanks to thoes who have given feedback, > Kevin Bilbee > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] Behalf Of Matt > > Sent: Monday, September 20, 2004 2:20 PM > > To: [EMAIL PROTECTED] > > Subject: Re: [Declude.JunkMail] Idea > > > > > > I would say that 99.9% is probably accurate here, and while that's > > pretty good, it might cause more issues than benefit depending on your > > system if you added extra weight for this condition. There is > > unfortunately software out there, or at least configurations that will > > insert IP's into the reverse DNS entry and also use that as the HELO. > > For instance, if you name your Windows server with an IP'd entry, that > > will get used by default in the HELO for MS SMTP if I'm not mistaken. > > It would only be 99.9% accurate due to the sheer volume of zombie spam > > however that uses this method, but I believe that there are a measurable > > number of exceptions that may or may not work in a particular weighting > > scheme. > > > > Matt > > > > > > > > Colbeck, Andrew wrote: > > > > >Kevin, I suspect that you're right, and that 99.9% of the > time, your rule > > >would hold true. > > > > > >I would suggest that the IP address in the HELO would have to match the > > >reverse DNS exactly, though. > > > > > >I also think that it this observation would also hold true if > > the HELO is an > > >IP address and there is no reverse lookup, or the reverse lookup > > times out. > > > > > >I think running that as a test for a while would bear that out; > > let us know > > >if you code that up and want to test it on some more systems... > > > > > >Andrew 8) > > > > > >-----Original Message----- > > >From: Kevin Bilbee [mailto:[EMAIL PROTECTED] > > >Sent: Saturday, September 18, 2004 12:09 PM > > >To: [EMAIL PROTECTED] > > >Subject: [Declude.JunkMail] Idea > > > > > > > > >I was looking through my smaps and legitimate email. I have noticed an > > >interesting thing. When there is an ip address in the hello > and the hello > > >matches the reverse dns then it is always spam. I can not find > > one example > > >of a legitimate email that has these properties. > > > > > > > > >What do you think??? > > > > > >I can update my contains ip test to support this type of test also???? > > > > > > > > > > > >Kevin Bilbee > > > > > > > > >--- > > >[This E-mail was scanned for viruses by Declude Virus > > >(http://www.declude.com)] > > > > > >--- > > >This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, > > >just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe > > >Declude.JunkMail". The archives can be found at > > >http://www.mail-archive.com. > > >--- > > >[This E-mail was scanned for viruses by Declude Virus > (http://www.declude.com)] > > > >--- > >This E-mail came from the Declude.JunkMail mailing list. To > >unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > >type "unsubscribe Declude.JunkMail". The archives can be found > >at http://www.mail-archive.com. > > > > > > > > > > -- > ===================================================== > MailPure custom filters for Declude JunkMail Pro. > http://www.mailpure.com/software/ > ===================================================== > > --- > [This E-mail was scanned for viruses by Declude Virus > (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > > > > --- > [This E-mail was scanned for viruses by Declude Virus > (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
