Hi Matt:
Yes, I understand that RevDNS is not a universals solution. That why I proposed that WHOS and/or RevDNS was checked against a list of "excepted" RevDNS' to then decide if human approval and/or review is necessary. The goal is simply to present questionable rules for review by some intelligent being, who can be trained to recognize unique circumstances such as RoadRunner rather than letting some "bot" come up with nonsensical rules (in view of realities). Best Regards, Andy Schmidt From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Tuesday, April 03, 2007 1:38 PM To: Message Sniffer Community Subject: [sniffer] Re: How to incorporate a white list? Agreed, however reverse DNS is not a universal solution as things like RR accounts will come from the same base domain as RR spam zombies, and you would otherwise have to track down each unique reverse DNS entry. I would test a connection to the SMTP server instead. Most of these servers will at least respond. So if a domain like yahoo.com, gmail.com, rr.com, etc. is found in the reverse DNS for a new IP rule, you would then check to see if it at least responded to a port 25 connection, and if it did, skip that rule. Note that I score IP rules at half the weight of the others. There are more common issues with international ISP's and webmail providers than with things like yahoo.com, gmail.com, rr.com, etc. Many don't get a lot of international traffic so they don't notice it. Matt Andy Schmidt wrote: Hi, Unless I'm mistaken, rule 1370762 was targeting the same address range. If I may make a suggestion: Before the spam-trap robots are allowed to block major, well-known and easily recognizable email providers, how about the robot script pulls a WHOIS and a Reverse DNS and runs that data against a table of "can't block" entities - or at least spits those out for "human review". If that can't be done, then how about the robots issue an hourly report of "suspect" IPs. A no-brainer script can pull matching WHOIS and RevDNS for quick human review and overriding (if necessary). I would rather those obvious bad rules are caught before or very quickly after they go live. There is always some delay before I get first reports until I realize that this is a "real" problem. Then I have to try to get headers from end-users before I can dig into logs... Hours and hours pass (especially if it's overnight events). In the meantime the problem escalates all around me. Thanks, Andy -----Original Message----- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Tuesday, April 03, 2007 11:09 AM To: Message Sniffer Community Subject: [sniffer] Re: How to incorporate a white list? Hello Andy, Tuesday, April 3, 2007, 9:36:17 AM, you wrote: Hi Phil, Yes, it seems as if some Sniffer rules, e.g., 1367683, is broadly targeting Google's IPs. I've submitted 3 false positive reports since last night, at least two of them were Google users, one located in the U.S. and the other in the Netherlands! This IP rule has been pulled. FP processing will happen shortly. _M ############################################################# This message is sent to you because you are subscribed to the mailing list <mailto:[email protected]> <[email protected]>. To unsubscribe, E-mail to: <mailto:[EMAIL PROTECTED]> <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <mailto:[EMAIL PROTECTED]> <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <mailto:[EMAIL PROTECTED]> <[EMAIL PROTECTED]> Send administrative queries to <mailto:[EMAIL PROTECTED]> <[EMAIL PROTECTED]> ############################################################# This message is sent to you because you are subscribed to the mailing list <mailto:[email protected]> <[email protected]>. To unsubscribe, E-mail to: <mailto:[EMAIL PROTECTED]> <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <mailto:[EMAIL PROTECTED]> <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <mailto:[EMAIL PROTECTED]> <[EMAIL PROTECTED]> Send administrative queries to <mailto:[EMAIL PROTECTED]> <[EMAIL PROTECTED]>
