RE: [Declude.JunkMail] Filtering for HELOs that are IP Addresses
I think some folks had some custom rules that did this, but I think they also looked for numbers between dashes, such as 201-34-98-103..xxx Maybe some others can shed a bit more light than I J From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Geiser Sent: Wednesday, May 19, 2004 9:28 AM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Filtering for HELOs that are IP Addresses Hello, All, I am considering creating a filter file that looks for HELO strings that are IP addresses. I was going to do something along the lines of the following... # // JunkMail.05.Filter.Helo.IP.txt // # # == Add Points To Total Weight == # # -- Untrusted HELOs # HELOs That Are IP Addresses HELO 100 CONTAINS 0.1 HELO 100 CONTAINS 0.2 HELO 100 CONTAINS 0.3 HELO 100 CONTAINS 0.4 HELO 100 CONTAINS 0.5 HELO 100 CONTAINS 0.6 HELO 100 CONTAINS 0.7 HELO 100 CONTAINS 0.8 HELO 100 CONTAINS 0.9 In here are also HELO 100 CONTAINS [1..8.1..9] HELO 100 CONTAINS 9.1 HELO 100 CONTAINS 9.2 HELO 100 CONTAINS 9.3 HELO 100 CONTAINS 9.4 HELO 100 CONTAINS 9.5 HELO 100 CONTAINS 9.6 HELO 100 CONTAINS 9.7 HELO 100 CONTAINS 9.8 HELO 100 CONTAINS 9.9 Am I correct in my thinking that with this filter that an IP address in the HELO string would NOT add just 100 points to the weight of an e-mail but instead could end up adding up to 300 points because each line would be compared to the HELO string and if that string was 210.10.23.75, for example, it would add 100 points for 0.1 and 0.2 and 3.7? Thanks In Advance, Dan Geiser
RE: [Declude.JunkMail] Filtering for HELOs that are IP Addresses
Bud Durland has written a nice external test called HELOISIP. (see attached message) For further information search for "HELOISIP" or "new test" in the archive. Markus From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan GeiserSent: Wednesday, May 19, 2004 3:28 PMTo: [EMAIL PROTECTED]Subject: [Declude.JunkMail] Filtering for HELOs that are IP Addresses Hello, All, I am considering creating a filter file that looks for HELO strings that are IP addresses. I was going to do something along the lines of the following... # // JunkMail.05.Filter.Helo.IP.txt // # # == Add Points To Total Weight ==# # -- Untrusted HELOs # HELOs That Are IP Addresses HELO 100 CONTAINS 0.1 HELO 100 CONTAINS 0.2 HELO 100 CONTAINS 0.3 HELO 100 CONTAINS 0.4 HELO 100 CONTAINS 0.5 HELO 100 CONTAINS 0.6 HELO 100 CONTAINS 0.7 HELO 100 CONTAINS 0.8 HELO 100 CONTAINS 0.9 In here are also HELO 100 CONTAINS [1..8.1..9] HELO 100 CONTAINS 9.1 HELO 100 CONTAINS 9.2 HELO 100 CONTAINS 9.3 HELO 100 CONTAINS 9.4 HELO 100 CONTAINS 9.5 HELO 100 CONTAINS 9.6 HELO 100 CONTAINS 9.7 HELO 100 CONTAINS 9.8 HELO 100 CONTAINS 9.9 Am I correct in my thinking that with this filter that an IP address in the HELO string would NOT add just 100 points to the weight of an e-mail but instead could end up adding up to 300 points because each line would be compared to the HELO string and if that string was 210.10.23.75, for example, it would add 100 points for "0.1" and "0.2" and "3.7"? Thanks In Advance, Dan Geiser ---BeginMessage--- Markus; Thanks for the detailed feedback and kind words. I haven't had time to the study our numbers (and I believe our statistical universe is much smaller than yours), but generally speaking I'm pleased with the results we're seeing here. For those who are interested, I'll be posting this test for download from my web site (http://bud.thedurlands.com) this weekend Don't look for it earlier than Sunday, but I promise it will be there. There will be two executables. The current one remains unchanged. The additional test, called HELOISIPX only fails if the HELO is a pure IP address: Received: from 12.107.134.252 [69.6.65.63] by mrpcap.com with ESMTP I created this because I see quite a few messages that use an IP for the HELO, (and often it is MY mail server's IP). I have never, ever, not once seen such a message that wasn't spam, so on my system that test will be weighted quite heavily. Markus Gufler wrote: Two days ago Bud has announced HELOISIP as new external test. After trying this test now for 36 hours I can report the following results for 04/15/2004 Processed messages: 9832 Hold as Spam: 4728 (48% of all messages) Detected by HELOISIP: 1340 (28% of hold spam / 14% of all messages) FP's from SURBL: 55 All of this 55 legit messages has had a final weight below 60% of our hold weight and so hasn't caused any real FP. 91% of all spam messages catched by HELOISIP has already reached a weight 200% of our hold weight. So having a possibility to skip this external test if a certain weight is already reached should significantly save resources. Good test! Markus -- --- illigitimi non carborundum --- Bud Durland, CNE Mold-Rite Plastics Network Administrator http://www.mrpcap.com --- --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. ---End Message---
RE: [Declude.JunkMail] Filtering for HELOs that are IP Addresses
Search the archives I also wrote an exteranl test but it passes the %helo% string from declude. It is a .net 1.1 app and does not add any load to my server processing. I created my own test based on list suggestions and Buds mention that he did not know if he would have time to make the changes. Here is an example of the test setup in the global.cfg CIP-WellFormed external 10 D:\Imail\declude\ContainsIP.exe %HELO% 0 0 CIP-OnlyIpexternal 11 D:\Imail\declude\ContainsIP.exe %HELO% 14 0 CIP-FullMatch external 12 D:\Imail\declude\ContainsIP.exe %HELO% 5 0 CIP-LeadingTextMatchexternal 13 D:\Imail\declude\ContainsIP.exe %HELO% 5 0 CIP-TrailingTextMatch external 14 D:\Imail\declude\ContainsIP.exe %HELO% 5 0 Here are my stats from yesterday on the test Total unique messages scanned: 3648 CIP-FullMatch :302 12.58 %8.28 % CIP-LeadingTextMatch: 49 2.04 %1.34 % CIP-OnlyIp :264 11.00 %7.24 % CIP-WellFormed : 1 0.04 %0.03 % Kevin Bilbee -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: Wednesday, May 19, 2004 7:01 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Filtering for HELOs that are IP Addresses Bud Durland has written a nice external test called HELOISIP. (see attached message) For further information search for HELOISIP or new test in the archive. Markus From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Geiser Sent: Wednesday, May 19, 2004 3:28 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Filtering for HELOs that are IP Addresses Hello, All, I am considering creating a filter file that looks for HELO strings that are IP addresses. I was going to do something along the lines of the following... # // JunkMail.05.Filter.Helo.IP.txt // # # == Add Points To Total Weight == # # -- Untrusted HELOs # HELOs That Are IP Addresses HELO100CONTAINS0.1 HELO100CONTAINS0.2 HELO100CONTAINS0.3 HELO100CONTAINS0.4 HELO100CONTAINS0.5 HELO100CONTAINS0.6 HELO100CONTAINS0.7 HELO100CONTAINS0.8 HELO100CONTAINS0.9 In here are also HELO 100 CONTAINS [1..8.1..9] HELO100CONTAINS9.1 HELO100CONTAINS9.2 HELO100CONTAINS9.3 HELO100CONTAINS9.4 HELO100CONTAINS9.5 HELO100CONTAINS9.6 HELO100CONTAINS9.7 HELO100CONTAINS9.8 HELO100CONTAINS9.9 Am I correct in my thinking that with this filter that an IP address in the HELO string would NOT add just 100 points to the weight of an e-mail but instead could end up adding up to 300 points because each line would be compared to the HELO string and if that string was 210.10.23.75, for example, it would add 100 points for 0.1 and 0.2 and 3.7? Thanks In Advance, Dan Geiser --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Filtering for HELOs that are IP Addresses
OH if anyone wants the exe let me know and I will post it on my HoldAnalyzer Site. Search the archives I also wrote an exteranl test but it passes the %helo% string from declude. It is a .net 1.1 app and does not add any load to my server processing. I created my own test based on list suggestions and Buds mention that he did not know if he would have time to make the changes. Here is an example of the test setup in the global.cfg CIP-WellFormed external 10 D:\Imail\declude\ContainsIP.exe %HELO% 0 0 CIP-OnlyIpexternal 11 D:\Imail\declude\ContainsIP.exe %HELO% 14 0 CIP-FullMatch external 12 D:\Imail\declude\ContainsIP.exe %HELO% 5 0 CIP-LeadingTextMatchexternal 13 D:\Imail\declude\ContainsIP.exe %HELO% 5 0 CIP-TrailingTextMatch external 14 D:\Imail\declude\ContainsIP.exe %HELO% 5 0 Here are my stats from yesterday on the test Total unique messages scanned: 3648 CIP-FullMatch :302 12.58 %8.28 % CIP-LeadingTextMatch: 49 2.04 %1.34 % CIP-OnlyIp :264 11.00 %7.24 % CIP-WellFormed : 1 0.04 %0.03 % Kevin Bilbee -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: Wednesday, May 19, 2004 7:01 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Filtering for HELOs that are IP Addresses Bud Durland has written a nice external test called HELOISIP. (see attached message) For further information search for HELOISIP or new test in the archive. Markus From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Geiser Sent: Wednesday, May 19, 2004 3:28 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Filtering for HELOs that are IP Addresses Hello, All, I am considering creating a filter file that looks for HELO strings that are IP addresses. I was going to do something along the lines of the following... # // JunkMail.05.Filter.Helo.IP.txt // # # == Add Points To Total Weight == # # -- Untrusted HELOs # HELOs That Are IP Addresses HELO100CONTAINS0.1 HELO100CONTAINS0.2 HELO100CONTAINS0.3 HELO100CONTAINS0.4 HELO100CONTAINS0.5 HELO100CONTAINS0.6 HELO100CONTAINS0.7 HELO100CONTAINS0.8 HELO100CONTAINS0.9 In here are also HELO 100 CONTAINS [1..8.1..9] HELO100CONTAINS9.1 HELO100CONTAINS9.2 HELO100CONTAINS9.3 HELO100CONTAINS9.4 HELO100CONTAINS9.5 HELO100CONTAINS9.6 HELO100CONTAINS9.7 HELO100CONTAINS9.8 HELO100CONTAINS9.9 Am I correct in my thinking that with this filter that an IP address in the HELO string would NOT add just 100 points to the weight of an e-mail but instead could end up adding up to 300 points because each line would be compared to the HELO string and if that string was 210.10.23.75, for example, it would add 100 points for 0.1 and 0.2 and 3.7? Thanks In Advance, Dan Geiser --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
