Re[2]: [Declude.JunkMail] Feature requests: LOOSEN HELOBOGUS ON/OFF, REVNOTHELO

[Sanford Whiteman]

> It's also important to realize the purpose of the HELOBOGUS test. It
> isn't  designed  primarily  to catch spammers. It's designed to help
> detect poorly administered mailservers -- ones that are likely to be
> abused  by spammers.

True,   but   if  you're  using  HELOBOGUS  for  anything  other  than
advertising to your clients' clients--which Declude is definitely good
for  :)--you're  giving  it  a weight, so you are using it not only as
community outreach, but as a spam test.

> And those Fortune 500 companies that have their mailserver advertise
> itself  with  a  name  other  than what it really is, well, they are
> running mailservers that are poorly administered.

I  have  zero  respect for people who think they're too big to change:
CitiGroup  actually has a stated policy that they "do not make changes
for  outside  companies"  or  suchlike, which they use to avoid fixing
problems   they   don't   really   understand.   But   we  can't  have
zero-tolerance  for HELOBOGUS in practical terms, since we risk losing
clients by losing their clients, and the more hoops it takes to get to
an  IT  group,  the  more  annoyed everyone becomes (even if their own
bureaucracy is at fault).

> But  if  you  don't  penalize  them,  they  will definitely continue
> bending the rules too far, which helps increase spam.

Yes,  something  must  actually break, even if it just means that they
consistently trip the weekly ALERT threshold. But again, speaking from
a   combo   of   experience  and  my  own  grudges,  a  dead  HELO  of
'www03.example.com' is a lot less likely to get fixed than a dead HELO
of  just  'mail.'  Even  the  stupid  mail  admin can see and fix some
problems  with  the  latter,  while  the  former  will  likely involve
contacting  the much-feared DNS group, blah blah blah. And when people
do  ask us how to fix pass a "looser" test, we will of course continue
to  say  that  a  published  FQHN  is  required,  still  spreading the
"tighter" word to those admins.

We're  pretty  strict on our own. SPAManager, for example, was not our
idea.  But  clients  dictate  varying  tolerances.  Something that has
surprised  me  is  how  likely  difficult  internal  users are to have
irascible,   irrational   external  contacts/friends--self-evident,  I
suppose,  but  the  parity  is  just uncanny sometimes! At any rate, a
looser  HELOBOGUS option (maybe a separate test completely, now that I
think  about  it, to enable varying weights) would make HELOBOGUS less
of a liability for us.

>>But  I  WOULD  use  a  negative  test  in  the  style  of IPNOTINMX,
>>"rewarding"  a site slightly for having the ability, experience, and
>>control to match the two and hopefully combatting some FPs.

> Aha -- like the IPNOTINMX test.  That's a good idea.

Glad  you  agree  there!  I  think  the  two  tests  (exact  match and
parent/grandparent domain match) would be perfect.

-Sandy

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Feature requests: LOOSEN HELOBOGUS ON/OFF, REVNOTHELO

[Sanford Whiteman]

Scott/All,

-  I've  found  HELOBOGUS  is often counterproductive, even with a low
weight, since legit sites, even (especially?) "big guns" (Fortune 500,
whatever)  often  give  their  servers fully-qualified, RFC-legal--yet
publicly  nonexistent--hostnames.  What  would help a lot, I think, is
the ability to let theoretically publishABLE FQHNs go, but still catch
unqualified hostnames, illegitimate characters, and IP addresses.

-  I  would  never, ever, ever block someone who had non-matching HELO
and  PTR.  Repeat,  I  would  never  hold this against someone, and it
really peeves me when clients (one of our military sites, for example)
suggest it. But I WOULD use a negative test in the style of IPNOTINMX,
"rewarding"  a  site  slightly for having the ability, experience, and
control  to  match  the  two  and  hopefully  combatting  some FPs. In
particular,  this  separates  people using consumer DSL providers (who
pre-assign  a  non-matching  PTR  reflecting  the  PPPoE  or static IP
address) from companies with a tighter hold on their IT, and--although
we  provide  hosting  services  ourselves!--would also give a boost to
those  that don't use shared servers. Of course, the more people learn
about  this  counterweight, the less useful it would be, and there are
some  spammers  who  already  would  benefit  from  it.  Yet  it would
definitely  assist when (untreatable) SPAMHEADERS/BADHEADERS/HELOBOGUS
blasts  come  from legitimate sources. Kind of a toss-up, but I'd like
to discuss it.

Please post your thoughts.

-Sandy



Sanford Whiteman, Chief Technologist
Broadleaf Systems, a division of
Cypress Integrated Systems, Inc.
e-mail: [EMAIL PROTECTED]


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.