Wow, that's the first time I have seen something like that. I would probably list all of those domains after I made sure I wasnt too agressive on why they were caught in the first place.
Darrell ------------------------------------------- Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. ----- Original Message ----- From: "Goran Jovanovic" <[EMAIL PROTECTED]> To: <[email protected]> Sent: Saturday, February 12, 2005 5:48 PM Subject: RE: [Declude.JunkMail] Thoughts on Filtering/Whitelisting Darrel, Check out the pointer records for ScotiaCapital.com. This is where I get the mail from Answer: 199.188.32.23 PTR record: mail2.sdbi.com. [TTL 86400s] [A=199.188.32.23] 199.188.32.23 PTR record: mail2.sdbi.ca. [TTL 86400s] [BAD: No A record] 199.188.32.23 PTR record: mail.scotiacapital.com. [TTL 86400s] [A=199.188.32.23, 199.188.32.22] 199.188.32.23 PTR record: mail2.scotiacapital.com. [TTL 86400s] [A=199.188.32.23] 199.188.32.23 PTR record: mail2.scotiacapital.co.uk. [TTL 86400s] [A=199.188.32.23] 199.188.32.23 PTR record: mail2.scotiacapital.net. [TTL 86400s] [A=199.188.32.23] 199.188.32.23 PTR record: mail2.scotiacapital.org. [TTL 86400s] [A=199.188.32.23] 199.188.32.23 PTR record: mail2.scotiacapital.ca. [TTL 86400s] [A=199.188.32.23] 199.188.32.23 PTR record: mail.scotiacapitaux.com. [TTL 86400s] [A=199.188.32.23, 199.188.32.22] 199.188.32.23 PTR record: mail2.scotiacapitaux.com. [TTL 86400s] [A=199.188.32.23] 199.188.32.23 PTR record: mail.scotiacapitaux.ca. [TTL 86400s] [A=199.188.32.22, 199.188.32.23] 199.188.32.23 PTR record: mail2.scotiacapitaux.ca. [TTL 86400s] [A=199.188.32.23] What would you do here? List them all? This is a pain! Goran Jovanovic The LAN Shoppe 2345 Yonge Street, Suite 302 Toronto, Ontario M4P 2E5 Phone: (416) 440-1167 x-2113 Cell: (416) 931-0688 E-Mail: [EMAIL PROTECTED] > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- > [EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) > Sent: Saturday, February 12, 2005 4:45 PM > To: [email protected] > Subject: Re: [Declude.JunkMail] Thoughts on Filtering/Whitelisting > > Goran, > > I actually use reverse dns filters to address stuff like this. It allows > them (remote domain) to move to new IP addresses and as long as they keep > up > their PTR we are all set. > > REVDNS -30 ENDSWITH .ipswitch.com > > Darrell > > ------------------------------------------- > Check out http://www.invariantsystems.com for utilities for Declude And > Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, > MRTG > Integration, and Log Parsers. > ----- Original Message ----- > From: "Goran Jovanovic" <[EMAIL PROTECTED]> > To: <[email protected]> > Sent: Saturday, February 12, 2005 4:11 PM > Subject: [Declude.JunkMail] Thoughts on Filtering/Whitelisting > > > Hi all, > > I have a Nigerian SCAM filter (from Kami) which has a test for > > solicitation of an offer > > and weights it at 20. > > Now it turns out that Scotia Capital has a disclaimer on all their > outgoing e-mail with that phrase in it. So I see that I have a couple of > options and I am not really sure what would be best. > > 1) I could remove the phrase from the Nigerian filter. This would solve > the Scotia Capital problem but perhaps let through Nigerian scam > letters. > > 2) Leave the filter in but credit a HELO -20 CONTAINS ScotiaCapital.com > > 3) Create a global whitelist that all my domains would look at and put > @ScotiaCapital.com in the whitelist file. Obviously this would open my > domains up to spoofed e-mail/spam > > 4) I suppose I could whitelist the IP address but that would leave me > managing IP addresses and if they changed then my whitelisting would > break. > > I would be tempted to implement #1 as it is simple but I could let > unknown amounts of SPAM through based on that phrase. > > #2 looks good and this process could be extended to other domains that > are mis-configured and fail HELOBOGUS etc. > > #3 will allow me to start applying "whitelist" requests from one domain > to all domains if they are legitimate requests. There is a government > list that already is in 2 domain's whitelists as both are accountants. > > #4 is not very appealing to me as the IP can change at any time > > So does anyone have another way to do this or would you pick options 1, > 2, 3, or 4 and why. > > Thanx > > > Goran Jovanovic > The LAN Shoppe > --- > [This E-mail was scanned for viruses by Declude Virus > (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > > --- > [This E-mail was scanned for viruses by Declude Virus > (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
