Re: [policyd-users] Helo Randomization Prevention Improvement?

Thu, 14 Dec 2006 14:00:32 -0800

Good point Rob.  I admit we hadn't thought of that.  Worst case, it would not block some spam servers.  After a short discussion, we've agreed that this is okay for our servers for now, though we are going to brainstorm a little for a solution.  I don't think it would be difficult to handle the case where the last domain portion is 2 characters long and non-numeric and in that case keep 3 portions.  Always keeping 3 portions would not work, as many servers could only use one subdomain, and then they would be blocked.

~Mike

Robert A. Pickering Jr. wrote:

Mike,

I think it's a great idea as many ISPs use multiple servers.  I'm a little unclear however.  Do you *always* take the last two domain portions?  So in the event of international domains like:  mx.someserver.com.uk.  Would you just take com.uk, thereby allowing everyone with a .com.uk extension to randomize?  Since most of my spam is from non-us domains (Brazil, Russia, Poland, Taiwan, China, etc.), it would seem that taking the last two might not be enough, and perhaps should be expanded to three.

-Rob

On Dec 14, 2006, at 3:42 PM, Mike Taczak wrote:

The company I work for is more concerned with removing all false 
positives than filtering absolutely every spam that comes though the 
system.  This can usually be accomplished by using many reliable smaller 
carefully calibrated filtering techniques assuming our servers can 
support them and maintaining speed.  We've found policyd invaluable in 
this sense.

However, while we were looking at the HRP module, we were concerned 
about false positives for the valid email servers that may use more than 
X helo names.  We've come up with a change that should prevent those 
false positives while still filtering many false servers.

By using a truncated version of the received helo name (which is usually 
a domain name of some kind - we truncated by 2 periods. Example: 
mx1.subdomain.test.com becomes test.com) , the real email servers are 
less likely to be tagged as randomizing their helo names, while fake 
servers, which seem to rarely use subdomains on the same network anyway, 
are still filtered out albeit at a slightly lower rate.

In the case of a helo name being an IP address, we added a condition to 
only do the truncation if the last character in the helo name is 
non-numeric so that IPs would still retain all the information.

What do you think about incorporating this change into policyd?

~Mike

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
_______________________________________________
policyd-users mailing list

-- 
Robert A. Pickering Jr.              SixDoes IT Solutions

"I just the other day got, an internet was sent by my staff at 10 o'clock in the morning on Friday and I just got it yesterday. Why?  Because it got tangled up with all these things going on the internet commercially." -- Sen. Ted Stevens (R-Alaska)



-- 
Robert A. Pickering Jr.              SixDoes IT Solutions

"I just the other day got, an internet was sent by my staff at 10 o'clock in the morning on Friday and I just got it yesterday. Why?  Because it got tangled up with all these things going on the internet commercially." -- Sen. Ted Stevens (R-Alaska)

 


-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

_______________________________________________
policyd-users mailing list
policyd-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/policyd-users
  





-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
policyd-users mailing list
policyd-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/policyd-users

Reply via email to