I have a number of REVDNS counterweights such as:
REVDNS -30 ENDSWITH .gc.ca
REVDNS -30 ENDSWITH .gov.on.ca
Since in the past I have found mail coming from these locations to fail
the technical tests. So even if they do not fail any other test they
will trigger the SPAM tagging. So I started building up the REVDNS
filter and have added many domains to it.
Thanks to all that responded
Goran Jovanovic
The LAN Shoppe
> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:Declude.JunkMail-
> [EMAIL PROTECTED] On Behalf Of Darin Cox
> Sent: Thursday, September 08, 2005 1:10 PM
> To: [email protected]
> Subject: Re: [Declude.JunkMail] How to credit a domain
>
> Good point. I wasn't thinking about the domain in question, only the
> practice, and didn't go so far as to mention that for ISP domains like
> this,
> we prefer to counterweight by MAILFROM on the exact email address
rather
> than REVDNS.
>
> It's all about being as narrow as possible where there's room for
abuse...
>
> Darin.
>
>
> ----- Original Message -----
> From: "Colbeck, Andrew" <[EMAIL PROTECTED]>
> To: <[email protected]>
> Sent: Thursday, September 08, 2005 12:58 PM
> Subject: RE: [Declude.JunkMail] How to credit a domain
>
>
> Danger, Will Robinson! Danger!
>
> Darin, thank you pointing out that qualifying a domain name with a
> prepended period is a solid best practice, and I'll add that it is
> mandatory to get the expected results when one uses a SPAMDOMAINS
test.
>
> However, this ComCast example is NOT a recommended action, as it will
> still have the flaw I cited earlier, i.e. that you would be
> counterweighting their mailhosts all right, but also all of the
zombies
> on their highly infested cable subscriber network.
>
> Andrew 8)
>
>
> > -----Original Message-----
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox
> > Sent: Thursday, September 08, 2005 9:46 AM
> > To: [email protected]
> > Subject: Re: [Declude.JunkMail] How to credit a domain
> >
> > Might want to make it
> >
> > REVDNS -100 ENDSWITH .ComCast.net
> >
> > instead of
> >
> > REVDNS -100 ENDSWITH ComCast.net
> >
> > (note the period before comcast.net)
> >
> > That way spamcomcast.net won't match when you don't want it to.
> >
> > Darin.
> >
> >
> > ----- Original Message -----
> > From: "Colbeck, Andrew" <[EMAIL PROTECTED]>
> > To: <[email protected]>
> > Sent: Thursday, September 08, 2005 12:37 PM
> > Subject: RE: [Declude.JunkMail] How to credit a domain
> >
> >
> > Oop, there was one other thing.
> >
> > I try to avoid the temptation of counterweighting a fragment of
their
> > reverse DNS.
> >
> > For example, if there were a ComCast.net mailhost problem
> > that I wanted
> > to counterweight, it would be tempting to add:
> >
> > REVDNS -100 ENDSWITH ComCast.net
> >
> > Which would accomplish the goal, but that the same time as
> > letting in a
> > tidal wave of spam from zombies on their cable subscriber network!
> >
> > That all being said, I also have a very few Declude PRO filter text
> > files that accomplish counterweighting for problematic
> > domains that need
> > help to get their mail through my setup, but whose complexity to
keep
> > the spam out preclude it from going in my mixed bag of
counterweights.
> >
> > Andrew 8)
> >
> >
> > > -----Original Message-----
> > > From: [EMAIL PROTECTED]
> > > [mailto:[EMAIL PROTECTED] On Behalf Of
> > > Colbeck, Andrew
> > > Sent: Thursday, September 08, 2005 9:31 AM
> > > To: [email protected]
> > > Subject: RE: [Declude.JunkMail] How to credit a domain
> > >
> > > Hi, Goran.
> > >
> > > I like to counterweight based on their IP for a couple of
> > > reasons. The first is that if their administration is not up
> > > to par (so that I have to counterweight them), the odds are
> > > good that their revdns is flawed or that their DNS is subject
> > > to timeouts.
> > >
> > > I also find that, as a practical matter, a company is as
> > > likely to change their IP as their revdns so neither is more
> > > "stable" than the other.
> > >
> > > Third, a lot of the companies with this kind of problem also
> > > fail REVDNS anyway!
> > >
> > > Last, larger companies can sometimes easily be spotted in
> > > SenderBase.org as having all of their mailhosts on a small
> > > subnet and I can use a REMOTEIP CIDR mask.
> > >
> > > Andrew 8)
> > >
> > >
> > >
> > > > -----Original Message-----
> > > > From: [EMAIL PROTECTED]
> > > > [mailto:[EMAIL PROTECTED] On Behalf Of Goran
> > > > Jovanovic
> > > > Sent: Thursday, September 08, 2005 9:22 AM
> > > > To: [email protected]
> > > > Subject: RE: [Declude.JunkMail] How to credit a domain
> > > >
> > > > Andrew,
> > > >
> > > > Why would you counterweight their IP and not the REVDNS? It
> > > seems that
> > > > it is basically the same thing?
> > > >
> > > >
> > > > Goran Jovanovic
> > > > The LAN Shoppe
> > > >
> > > >
> > > >
> > > > > -----Original Message-----
> > > > > From: [EMAIL PROTECTED]
> > > [mailto:Declude.JunkMail-
> > > > > [EMAIL PROTECTED] On Behalf Of Colbeck, Andrew
> > > > > Sent: Thursday, September 08, 2005 11:52 AM
> > > > > To: [email protected]
> > > > > Subject: RE: [Declude.JunkMail] How to credit a domain
> > > > >
> > > > > Goran, I have consistently found that providers that handle
> > > > mail for
> > > > > other companies are reliable enough that I can merely
> > > counterweight
> > > > > their IP. I hardly ever trust their reverse DNS, and even
> > > > less often
> > > > > the HELO.
> > > > >
> > > > > I have a last resort test where I have a mixed bag of
> > > > counterweights.
> > > > >
> > > > > Andrew 8)
> > > > >
> > > > >
> > > > > > -----Original Message-----
> > > > > > From: [EMAIL PROTECTED]
> > > > > > [mailto:[EMAIL PROTECTED] On Behalf
> > Of Goran
> > > > > > Jovanovic
> > > > > > Sent: Thursday, September 08, 2005 8:33 AM
> > > > > > To: [email protected]
> > > > > > Subject: [Declude.JunkMail] How to credit a domain
> > > > > >
> > > > > > Hi all,
> > > > > >
> > > > > > I get messages like this all the time and I am always in
> > > > a dilemma
> > > > > > on what to do about them. This is a legit mail that
> > > > scored 10 (where
> > > > > > I start tagging mail).
> > > > > >
> > > > > >
--------------------------------------------------------------
> > > > > > ----------
> > > > > > -
> > > > > > Received: from mx.dstsystems.com [204.167.177.68] by
> > > > > > mail1.gonetworks.net with ESMTP (SMTPD32-8.13) id
> > > > AAD8195300F2; Wed,
> > > > > > 07 Sep 2005 15:09:12 -0400
> > > > > >
> > > > > > X-RBL-Warning: HELOBOGUS: Domain mx.dstsystems.com has
> > > no MX or A
> > > > > > records [0301].
> > > > > >
> > > > > > X-Declude-Sender: [EMAIL PROTECTED] [204.167.177.68]
> > > > > >
> > > > > > X-Note: Reverse DNS: Sent from dstsys-cp.dstsystems.com
> > > > > > ([204.167.177.68]).
> > > > > >
> > > > > > X-Note: Tests Failed: CMDSPACE [8], HELOBOGUS [5],
> > > NOLEGITCONTENT
> > > > > > [0], SIZE-S [0]
> > > > > >
--------------------------------------------------------------
> > > > > > ----------
> > > > > > -
> > > > > >
> > > > > > So this mail came from domain dstsystems.com on the IP
> > > > > > 204.167.177.68 but it is from domain ifdsgroup.com. Now
> > > > my preferred
> > > > > > method of dealing with this type of problem is to
> > > credit based on
> > > > > > REVDNS. Again in this case there is a good REVDNS but it
> > > > is not from
> > > > > > the same domain as the MAILFROM (if it was then I
> > would have no
> > > > > > problem in crediting the REVDNS).
> > > > > >
> > > > > > So is there a way to figure out if dstsystems.com is a
e-mail
> > > > > > hosting company and then I would not want to credit the
> > > > REVDNS as I
> > > > > > do not know what other domains they host.
> > > > > >
> > > > > > If I cannot figure out the link then I would not credit
> > > > REVDNS and
> > > > > > would move to step 2. Credit HELO. HELOs can be spoofed
> > > > but in this
> > > > > > case the HELO is basically the same as the
> > > > REVDNS.
> > > > > >
> > > > > > Next step is crediting MAILFROM. This I can do with the
> > > > > > ifdsgroup.com and lower the score for e-mail from this
> > > > domain. Again
> > > > > > it can be spoofed but ...
> > > > > >
> > > > > > I would prefer to credit REVDNS as that cannot be spoofed
> > > > but I am
> > > > > > leery of crediting an "unknown" domain when it does not
> > > relate to
> > > > > > the MAILFROM address.
> > > > > >
> > > > > > Any thoughts on how (if possible) to connect the two
domains?
> > > > > > Or do I simply drop down to option 3 and credit MAILFROM?
> > > > I suppose
> > > > > > that I could try and figure out the admin responsible for
> > > > > > dstsystems.com and tell them to fix the HELOBOGUS error
> > > in which
> > > > > > case my problems would (mostly) go away.
> > > > > >
> > > > > > Any thoughts and comments are appreciated.
> > > > > >
> > > > > > Thanks
> > > > > >
> > > > > >
> > > > > > Goran Jovanovic
> > > > > > The LAN Shoppe
> > > > > > ---
> > > > > > This E-mail came from the Declude.JunkMail mailing list. To
> > > > > > unsubscribe, just send an E-mail to [EMAIL PROTECTED],
> > > > and type
> > > > > > "unsubscribe Declude.JunkMail". The archives can be found
at
> > > > > > http://www.mail-archive.com.
> > > > > >
> > > > > ---
> > > > > This E-mail came from the Declude.JunkMail mailing list. To
> > > > > unsubscribe, just send an E-mail to [EMAIL PROTECTED],
> > > and type
> > > > > "unsubscribe Declude.JunkMail". The archives can be found at
> > > > > http://www.mail-archive.com.
> > > > ---
> > > > This E-mail came from the Declude.JunkMail mailing list. To
> > > > unsubscribe, just send an E-mail to [EMAIL PROTECTED],
> > and type
> > > > "unsubscribe Declude.JunkMail". The archives can be found at
> > > > http://www.mail-archive.com.
> > > >
> > > ---
> > > This E-mail came from the Declude.JunkMail mailing list. To
> > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> > > type "unsubscribe Declude.JunkMail". The archives can be
> > > found at http://www.mail-archive.com.
> > >
> > ---
> > This E-mail came from the Declude.JunkMail mailing list. To
> > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> > type "unsubscribe Declude.JunkMail". The archives can be found
> > at http://www.mail-archive.com.
> >
> > ---
> > This E-mail came from the Declude.JunkMail mailing list. To
> > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> > type "unsubscribe Declude.JunkMail". The archives can be found
> > at http://www.mail-archive.com.
> >
> ---
> This E-mail came from the Declude.JunkMail mailing list. To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail". The archives can be found
> at http://www.mail-archive.com.
>
> ---
> This E-mail came from the Declude.JunkMail mailing list. To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail". The archives can be found
> at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
