I've struggled also what I call the technical tests (helobogus, badheaders,
cmdspace, spamheaders).
They indicate to me that something is technically wrong with an email, but
really don't indicate that the email's content is spam. More likely to be
spam yes. Solidly spam, no.
The bad news for me is they seem to tend to fire together in groups on
poorly configured mail servers dragging tho weight of those emails up.
Over time, I've adjusted the scores of these tests downward.
helobogus: I weight 10 on a subject tag at 100. It is positive on 11% of
my total email. It is a false positive on 6% of my total email. Wrong 6% of
the time!
badheaders: I weight at 30 on a subject tag scale at 100. It is positive on
14% of my total email. It is a false positive on 1% of my total email.
spamheaders: I weight at 40 on a subject tag scale at 100. It is positive on
18% of my total email. It is a false positive on 2% of my total email.
cmdspace: I weight at 40 on a subject tag scale at 100. It is positive on
28% of my total email. It is a false positive on 1% of my total email. This
test is effective and I use this in combo with sniffer and uribl tests to
drag middle weighted spam to a higher weight.
I've contemplated putting these together in a technical test filter where I
could apply a maxweight.
----- Original Message -----
From: "Goran Jovanovic" <[EMAIL PROTECTED]>
To: <[email protected]>
Sent: Thursday, September 08, 2005 10:32 AM
Subject: [Declude.JunkMail] How to credit a domain
Hi all,
I get messages like this all the time and I am always in a dilemma on
what to do about them. This is a legit mail that scored 10 (where I
start tagging mail).
------------------------------------------------------------------------
-
Received: from mx.dstsystems.com [204.167.177.68] by
mail1.gonetworks.net with ESMTP (SMTPD32-8.13) id AAD8195300F2; Wed, 07
Sep 2005 15:09:12 -0400
X-RBL-Warning: HELOBOGUS: Domain mx.dstsystems.com has no MX or A
records [0301].
X-Declude-Sender: [EMAIL PROTECTED] [204.167.177.68]
X-Note: Reverse DNS: Sent from dstsys-cp.dstsystems.com
([204.167.177.68]).
X-Note: Tests Failed: CMDSPACE [8], HELOBOGUS [5], NOLEGITCONTENT [0],
SIZE-S [0]
------------------------------------------------------------------------
-
So this mail came from domain dstsystems.com on the IP 204.167.177.68
but it is from domain ifdsgroup.com. Now my preferred method of dealing
with this type of problem is to credit based on REVDNS. Again in this
case there is a good REVDNS but it is not from the same domain as the
MAILFROM (if it was then I would have no problem in crediting the
REVDNS).
So is there a way to figure out if dstsystems.com is a e-mail hosting
company and then I would not want to credit the REVDNS as I do not know
what other domains they host.
If I cannot figure out the link then I would not credit REVDNS and would
move to step 2. Credit HELO. HELOs can be spoofed but in this case the
HELO is basically the same as the REVDNS.
Next step is crediting MAILFROM. This I can do with the ifdsgroup.com
and lower the score for e-mail from this domain. Again it can be spoofed
but ...
I would prefer to credit REVDNS as that cannot be spoofed but I am leery
of crediting an "unknown" domain when it does not relate to the MAILFROM
address.
Any thoughts on how (if possible) to connect the two domains? Or do I
simply drop down to option 3 and credit MAILFROM? I suppose that I could
try and figure out the admin responsible for dstsystems.com and tell
them to fix the HELOBOGUS error in which case my problems would (mostly)
go away.
Any thoughts and comments are appreciated.
Thanks
Goran Jovanovic
The LAN Shoppe
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
