Well, telling the fake hotmail from the normal hotmail is one thing... And for this specific task, working around REVDNS is not your best best. HotMail publishes SPF records that help you by identifying their blocks of outbound CIDR addresses. All you need to do is check for a mailfrom that ends with hotmail.com and for a SPF PASS.
But another cautionary note is that you can *counterweight* hotmail *too* much. I, and others here, regularly see spam from disposable hotmail accounts. The spammers know that they will get the account banned, but they don't care, the payload is either in the HTML, or advertise a contact for phone and fax number (Nigerian or "419" fraud), or pump and dump stock fraud, or a deliberately mangled URL that won't be picked up by URI scanning. In other words, IP4R tests don't work to fight these, and content scanners lag behind at least one wave of this spam. Andrew 8) > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Serge > Sent: Monday, December 12, 2005 8:36 AM > To: Declude.JunkMail@declude.com > Subject: Re: [Declude.JunkMail] REVDNS > > I use tests that were posted long time ago by kami I use them > for aol, hotmail, yahoo, ... > i think they are much more flexible than spamdomains, and > they test mailfrom, revdns and helo (i think spamdomains only > test mailfrom and > revdns) > there was a long discussion at that time, i do not remember > all the details, try checking the archives. > > > ----- Original Message ----- > From: "Markus Gufler" <[EMAIL PROTECTED]> > To: <Declude.JunkMail@declude.com> > Sent: Monday, December 12, 2005 3:14 PM > Subject: RE: [Declude.JunkMail] REVDNS > > > > Thank you Scott, > > > > Serge, why do you use such a filter? A SpamDomain-Test > should do this even > > bether. > > > > Markus > > > > > > > > > -----Original Message----- > > > From: [EMAIL PROTECTED] > > > [mailto:[EMAIL PROTECTED] On Behalf Of > Scott Fisher > > > Sent: Monday, December 12, 2005 3:58 PM > > > To: Declude.JunkMail@declude.com > > > Subject: Re: [Declude.JunkMail] REVDNS > > > > > > REVDNS 10 IS (Timeout) > > > > > > ----- Original Message ----- > > > From: "Markus Gufler" <[EMAIL PROTECTED]> > > > To: <Declude.JunkMail@declude.com> > > > Sent: Monday, December 12, 2005 1:42 AM > > > Subject: RE: [Declude.JunkMail] REVDNS > > > > > > > > > > > > > >> I think it may be (timeout). I know Scott > > > >> Fisher posted a filter the other day that had the exact text > > > >> on what it is when rev dns times out. > > > > > > > > It was a message from Scott Fisher on the "cbl"-thread and > > > as I can see he > > > > posted a line > > > > > > > > TESTSFAILED 50 CONTAINS REVDNS-TIMEOUT > > > > > > > > So it would be interesting know what's exactly in his text > > > filter file > > > > "REVDNS-TIMEOUT" > > > > > > > > Markus > > > > > > > > > > > > --- > > > > [This E-mail was scanned for viruses by Declude EVA > www.declude.com] > > > > > > > > --- > > > > This E-mail came from the Declude.JunkMail mailing list. To > > > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > > > type "unsubscribe Declude.JunkMail". The archives can be found > > > > at http://www.mail-archive.com. > > > > > > > > > > --- > > > [This E-mail was scanned for viruses by Declude EVA > www.declude.com] > > > > > > --- > > > This E-mail came from the Declude.JunkMail mailing list. To > > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > > type "unsubscribe Declude.JunkMail". The archives can be found > > > at http://www.mail-archive.com. > > > > > > > --- > > [This E-mail was scanned for viruses by Declude EVA www.declude.com] > > > > --- > > This E-mail came from the Declude.JunkMail mailing list. To > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.JunkMail". The archives can be found > > at http://www.mail-archive.com. > > > > --- > [This E-mail was scanned for viruses by Declude EVA www.declude.com] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
