Correct me if I am wrong here, but wouldn't an email sent from a cell phone or PDA cause this behavior as well? --- Danny Spence
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Bilbee Sent: Monday, September 20, 2004 6:36 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Idea Agreed I would never delete on the one test, (except my personal black list), I would weight the email. A reverse DNS endty should never return an ip address. If the HELO is an ip it should should be in the form of [a.b.c.d] from my understanding. But if I reverse a.b.c.d I should not get a.b.c.d I should get host.example.com. If they do not want ot follow standards that is fine but I am going to add weight to their email. that is why I run Declude to weight emails that do not wollow standards. I host coorporate email for my promary company and a few sister companies so I have the ability to be a little stricter and if I do get a false positive I work with the customer/ISP of our customer to fix what is broken/non-standard. Kevin Bilbee > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Darin Cox > Sent: Monday, September 20, 2004 3:20 PM > To: [EMAIL PROTECTED] > Subject: Re: [Declude.JunkMail] Idea > > > We've seen some legitimate mailers with an IP for the HELO, which matches > the reverse DNS. I certainly wouldn't recommend holding, much less > deleting, on any one test. > > Darin. > > > ----- Original Message ----- > From: "Kevin Bilbee" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Monday, September 20, 2004 5:41 PM > Subject: RE: [Declude.JunkMail] Idea > > > 99.9% is good enough and better than most RBLs especially in a weighted > system. I have modified my code and am going to test for a few days using > the ROUTETO action to inspect te emails for false positives. > > If I find the test acceptable I will post a new version of > contains IP with > documentation. > > > Thanks to thoes who have given feedback, > Kevin Bilbee > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] Behalf Of Matt > > Sent: Monday, September 20, 2004 2:20 PM > > To: [EMAIL PROTECTED] > > Subject: Re: [Declude.JunkMail] Idea > > > > > > I would say that 99.9% is probably accurate here, and while that's > > pretty good, it might cause more issues than benefit depending on your > > system if you added extra weight for this condition. There is > > unfortunately software out there, or at least configurations that will > > insert IP's into the reverse DNS entry and also use that as the HELO. > > For instance, if you name your Windows server with an IP'd entry, that > > will get used by default in the HELO for MS SMTP if I'm not mistaken. > > It would only be 99.9% accurate due to the sheer volume of zombie spam > > however that uses this method, but I believe that there are a measurable > > number of exceptions that may or may not work in a particular weighting > > scheme. > > > > Matt > > > > > > > > Colbeck, Andrew wrote: > > > > >Kevin, I suspect that you're right, and that 99.9% of the > time, your rule > > >would hold true. > > > > > >I would suggest that the IP address in the HELO would have to match the > > >reverse DNS exactly, though. > > > > > >I also think that it this observation would also hold true if > > the HELO is an > > >IP address and there is no reverse lookup, or the reverse lookup > > times out. > > > > > >I think running that as a test for a while would bear that out; > > let us know > > >if you code that up and want to test it on some more systems... > > > > > >Andrew 8) > > > > > >-----Original Message----- > > >From: Kevin Bilbee [mailto:[EMAIL PROTECTED] > > >Sent: Saturday, September 18, 2004 12:09 PM > > >To: [EMAIL PROTECTED] > > >Subject: [Declude.JunkMail] Idea > > > > > > > > >I was looking through my smaps and legitimate email. I have noticed an > > >interesting thing. When there is an ip address in the hello > and the hello > > >matches the reverse dns then it is always spam. I can not find > > one example > > >of a legitimate email that has these properties. > > > > > > > > >What do you think??? > > > > > >I can update my contains ip test to support this type of test also???? > > > > > > > > > > > >Kevin Bilbee > > > > > > > > >--- > > >[This E-mail was scanned for viruses by Declude Virus > > >(http://www.declude.com)] > > > > > >--- > > >This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, > > >just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe > > >Declude.JunkMail". The archives can be found at > > >http://www.mail-archive.com. > > >--- > > >[This E-mail was scanned for viruses by Declude Virus > (http://www.declude.com)] > > > >--- > >This E-mail came from the Declude.JunkMail mailing list. To > >unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > >type "unsubscribe Declude.JunkMail". The archives can be found > >at http://www.mail-archive.com. > > > > > > > > > > -- > ===================================================== > MailPure custom filters for Declude JunkMail Pro. > http://www.mailpure.com/software/ > ===================================================== > > --- > [This E-mail was scanned for viruses by Declude Virus > (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > > > > --- > [This E-mail was scanned for viruses by Declude Virus > (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
