RE: [Declude.JunkMail] Integrity Checker
Hi JD: In my opinion the more tests we have the less false positives we will have since we can reduce the high weight for some of our other tests. What I find interesting is our spam is no longer failing with borderline weights. As we have added more and more tests a spam fails with much higher weight and those that are borderline (we hold on 20) have a higher probability to be false positives. One example of a test that at first we found to be a great test but over time we have reduced its weight to 5 is REVDNS. More and more legitimate mail fails that test. So if we can come up with tests that can trigger spam and yet with reverse tests negate the ones we know our chances of success increases. What triggered this was getting a porn email where HELO was .Microsoft.com. Can we ever imagine eBay sending an email where HELO is eBay but REVDNS is EarthLink or a DSL? For example: Domain REVDNS HELO (perhaps even IP range) this will work best with such companies as eBay, Microsoft, Amazon, etc. So if a REVDNS comes up that does not match the domain or HELO then it gets a certain weight. it should be easy to implement... Regards, Kami From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of J.D. SpringerSent: Saturday, October 11, 2003 11:08 PMTo: [EMAIL PROTECTED]Subject: Re: [Declude.JunkMail] Integrity Checker Kami:I think this is a good idea in concept, but could produce a lot false positives if not used carefully.For example: When I travel, I have to use mail.earthlink.net as my SMTP server.Some airlines send out reservation confirmations from servers that are not theirs.J.D.Kami Razvan wrote: Hi; I wonder if a test could be setup that checks for the integrity of the email. For example: === X-Declude-Sender: [EMAIL PROTECTED] [67.121.210.25]X-Declude-Spoolname: D17aa0bbd0062ac07.SMDX-Note: This E-mail was scanned & filtered by Declude [1.76i5] for SPAM & virus.X-Weight: 13X-Hello: microsoft.com === Why should @gundamfan.com have a HELO of microsoft.com? Perhaps an extension of SPAMDOMAINS where one could specify the email and the REVDNS could also be extended to HELO. So HELO of Micorosoft.com should only be allowed if REVDNS is also Microsoft and email is Microsoft.com. Or can we do this already? Regards, Kami--- [This E-mail scanned for viruses by Declude Virus at MAILER.DB2Consulting.com] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Integrity Checker
> When I travel, I have to use mail.earthlink > .net as my SMTP server. > Some airlines send out reservation confirmations > from servers that are not theirs. For sure it will create false positives - as many other tests. For example the SPAMDOMAIN test if a user uses the mailserver of his current ISP but a freemailer address like @yahoo.com as sender address. I think that far more spam will fail such an integrity check then some few legit messages. So it should be a good test in a weighting system. It's not the goal to hold if such an integrity test will fail. Simply add some points. All information needed to determine the integrity is already here. No additional NS lookups, heavy processing, large files or databases. The same test can also give a negative weight if domain or tld of MAILFROM, REVDNS, HELO/EHLO and maybe also the Country-chain show a certain integrity. Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Integrity Checker
Kami: I think this is a good idea in concept, but could produce a lot false positives if not used carefully. For example: When I travel, I have to use mail.earthlink.net as my SMTP server. Some airlines send out reservation confirmations from servers that are not theirs. J.D. Kami Razvan wrote: Hi; I wonder if a test could be setup that checks for the integrity of the email. For example: === X-Declude-Sender: [EMAIL PROTECTED] [67.121.210.25] X-Declude-Spoolname: D17aa0bbd0062ac07.SMD X-Note: This E-mail was scanned & filtered by Declude [1.76i5] for SPAM & virus. X-Weight: 13 X-Hello: microsoft.com === Why should @gundamfan.com have a HELO of microsoft.com? Perhaps an extension of SPAMDOMAINS where one could specify the email and the REVDNS could also be extended to HELO. So HELO of Micorosoft.com should only be allowed if REVDNS is also Microsoft and email is Microsoft.com. Or can we do this already? Regards, Kami --- [This E-mail scanned for viruses by Declude Virus at MAILER.DB2Consulting.com] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Integrity Checker
Title: Nachricht > I wonder if a test could be setup that checks for the integrity of the email. Good idea! I've suggested such a comparison some months ago For example the last spam finished in my inbox: Received: from arti.vub.ac.be (h222n2fls34o834.telia.com [213.66.187.222]) by relay.aknet.it (8.11.2/8.11.2) with ESMTP id h9BElKp16532 for [EMAIL PROTECTED]; Sat, 11 Oct 2003 16:47:21 +0200Subject: [s79] =?iso-8859-1?B?SG93IGRvZXMgU2lsZGVuYWZpbCBDaXRyYXRlICB3b3JrPw==?=From: "Allen B. Case" <[EMAIL PROTECTED]>X-RBL-Warning: SPAMCHK: Message failed SPAMCHK: 79.X-Declude-Sender: [EMAIL PROTECTED] [213.66.187.222]X-Spam-Tests-Failed: NOLEGITCONTENT, SPAMCHK, WEIGHT75 [79]X-Country-Chain: SWEDEN->ITALY->destination HELO: arti.vub.ac.be REVDNS: h222n2fls34o834.telia.com FROM: [EMAIL PROTECTED]ca ORIGIN COUNTRY: Sweden Received: from microsoft.com (sp121.neoplus.adsl.tpnet.pl [80.54.1.121]) by relay2.aknet.it (8.11.2/8.11.2) with SMTP id h9AGHYo27169 for <[EMAIL PROTECTED]>; Fri, 10 Oct 2003 18:17:35 +0200Date: Fri, 10 Oct 2003 16:45:30 +From: Ketygukyt <[EMAIL PROTECTED]>Reply-To: Worivim <[EMAIL PROTECTED]>Sender: Kizopikar <[EMAIL PROTECTED]>X-RBL-Warning: DSN: Not supporting null originator (DSN)X-RBL-Warning: SPAMCHK: Message failed SPAMCHK: 50.X-Spam-Tests-Failed: DSN, SPAMCHK [60]X-Country-Chain: POLAND->ITALY->destination HELO: microsoft.com REVDNS: sp121.neoplus.adsl.tpnet.pl FROM: [EMAIL PROTECTED] ORIGIN COUNTRY: Poland (From, Reply-to, Sender are completely different) But maybe this is already part of some heuristic/future tests ? Markus
Re: [Declude.JunkMail] Integrity Checker
So HELO of Micorosoft.com should only be allowed if REVDNS is also Microsoft and email is Microsoft.com. Or can we do this already? That sounds like it would be a good extension to the SPAMDOMAINS test (which checks for return address and reverse DNS matches). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Integrity Checker
Hi; I wonder if a test could be setup that checks for the integrity of the email. For example: === X-Declude-Sender: [EMAIL PROTECTED] [67.121.210.25]X-Declude-Spoolname: D17aa0bbd0062ac07.SMDX-Note: This E-mail was scanned & filtered by Declude [1.76i5] for SPAM & virus.X-Weight: 13X-Hello: microsoft.com === Why should @gundamfan.com have a HELO of microsoft.com? Perhaps an extension of SPAMDOMAINS where one could specify the email and the REVDNS could also be extended to HELO. So HELO of Micorosoft.com should only be allowed if REVDNS is also Microsoft and email is Microsoft.com. Or can we do this already? Regards, Kami