[EMAIL PROTECTED] spake the following on 12/11/2006 8:11 AM: > Jeff wrote on 12/09/2006 04:57:51 PM: > >> So, when my server sends e-mail, it uses "saber.nabs.net" as its >> "EHLO", and the connection comes from 71.246.216.107. "host >> saber.nabs.net" returns 71.246.216.107, which is the same IP that the >> connection comes from. So far, so good. >> >> But, "host 71.246.216.107" returns: >> static-71-246-216-107.washdc.fios.verizon.net. >> >> This hits on just about every "is this a generic rDNS" regex. But, as >> you can see by the name, it's not likely to be a dialup/dynamic, etc. >> >> So, I vote for any change to the Botnet code that ends up with my type >> of situation (which is pretty much what Jan-Pieter was also describing) >> not getting rejected. > > Since many home dialup/DSL/Cable users that want to connect to their AUP > violating servers at home use free dynamic DNS services, I have a proposal > to help seperate them from the legit servers like Jeff describes. > > The free dynamic DNS servers usually have very short TTL values, and > presumably, a legitimate server like saber.nabs.net has a more reasonable > (greather than 2 hour) value. By checking the TTL, you can help weed out > the bogus servers without blocking small business mail servers on DSL/etc > connections. > > Another test might be to see who hosts their DNS, but that might be more > problematic. If it is a known free, dynamic DNS server, regardless of > TTL, would that be a spam indicator? That is why I don't score botnet as high as the default. I want the actual mail content to contribute something to its being tagged. That way if I get a botnet hit at say 2.0, either a bayes_99 or a hit on a digest will send it way over. But if it hits only botnet, and nothing else, it can pass. I score low spam at 3, so a score of 2.0 in the botnet meta rule gets it close. I would sugjest that the botnet meta rule would have its name extended slightly, so a grep for its name doesn't hit all the botnet rules without having to egrep with a regex. Maybe botnet_meta or something like that. I think I have enough good rules that score well, but I like the extra percentage that I can get with this plugin.
-- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! _______________________________________________ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list [email protected] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
