Thanks. Good information. But the two email notes in question were from
clients and were personal notes. Definitely not listserv broadcasts. And
one was from a valid address at sbcglobal.net.
Also, the DNS explanation makes sense. But where do all these ip addresses
that were in the original config.xml file fit into the picture? Where did
these come from? Were they simply a snapshot in time of some known bad ip's
that could easily become good a few years later?
<mailet
match="SenderInFakeDomain=64.55.105.9,64.94.110.11,194.205.62.122,194.205.62
.62,195.7.77.20,206.253.214.102,212.181.91.6,219.88.106.80,194.205.62.42,216
.35.187.246,203.119.4.6" class="ToProcessor">
Jerry
-----Original Message-----
From: Renen Watermeyer [mailto:[EMAIL PROTECTED]
Sent: Friday, June 30, 2006 5:15 AM
To: James Users List; Serge Knystautas
Subject: Re: False Positives on "SenderInFakeDomain"?
Also, many list servers spoof the from domain when they send mail on
behalf of a third party. Generally, these list servers don't bother to
bind a DNS entry to their mail server - in which case you might find
that you get false positives.
On 6/30/06, Serge Knystautas <[EMAIL PROTECTED]> wrote:
> On 6/29/06, JWM <[EMAIL PROTECTED]> wrote:
> > I have been using the default matcher for "SenderInFakeDomain" ever
since I
> > installed James. I've never been aware of any problems with it. But in
the
> > last week, I've had at least two hits on apparently perfectly valid
emails.
> > One was from sbcglobal.net. Both were from people known by the
recipient.
> >
> > Where did that list of fake ip addresses that were shipped in the config
> > file originate? Is it possible that these IPs have changed and some
have
> > become legit?
> >
> > I would think that somehow the sender was hacking and spoofing. But
that is
> > almost an impossibility, given who the senders were.
> >
> > Can someone enlighten me on what may be happening here? Is that simply
not
> > a trustworthy matcher to filter email out?
>
> What it's doing is looking up the domain of the incoming email
> address. The point is that if you get a message from
> [EMAIL PROTECTED] and lokitech.com does not exist or is not
> configured for mail, then there's a high chance this is a fake email.
>
> The one scenario that causes this approach a problem is when a domain
> has temporary DNS problems. This could be why your recipients were
> getting bounced. Normally it is a good check, but others might be
> able to speak better as to how widely used and accepted it is.
>
> --
> Serge Knystautas
> Lokitech >> software . strategy . design >> http://www.lokitech.com
> p. 301.656.5501
> e. [EMAIL PROTECTED]
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
