I tried rules like this on Received lines, but got too many false positives.
Legitimate email originating from broadband users was being penalized, even if
they used their ISP's relay. So I modified the rules so that only mail
directly from broadband PC's to my relay (mail1.rifton.com) are penalized This
also exonerates broadband users who run real mail relays with reverse DNS names.
header COMCAST Received =~
/(pcp[0-9]|c\-).{5,40}\.comcast\.net.{1,80}by mail1\.rifton/
describe COMCAST possible zombie from comcast.net
score COMCAST 2.0
header ATTBI Received =~ /client2?\.attbi\.com.{1,80}by
mail1\.rifton/
describe ATTBI possible zombie from attbi.com
score ATTBI 2.0
header PACBELL Received =~ /adsl.{5,40}\.pacbell\.net.{1,80}by
mail1\.rifton/
describe PACBELL possible zombie from pacbell.net
score PACBELL 2.0
header SHAWCABL Received =~ /h(?:24|68).{5,40}\.shawcable\.net.{1,80}by
mail1\.rifton/
describe SHAWCABL possible zombie from shawcable.net
score SHAWCABL 2.0
and the same for RoadRunner, Adelphia, OptOnline, Videotron...
I suppose Chris's big regex could be modified to include "by
this.relay.domain.com" at the end for a similar effect.
Pierre Thomson
BIC
-----Original Message-----
From: Chris Santerre [mailto:[EMAIL PROTECTED]
Sent: Tuesday, March 30, 2004 10:11 AM
To: 'Kai'; [EMAIL PROTECTED]
Subject: RE: rules to catch dynamic-IP (dsl/cable/dialup) hosts
I haven't been folowwing this thread very close. But here is what I use:
(Watch word wrap)
header MY_DSL Received =~
/(?:\.atlantabroadband\.com|customer|ppp|poole?s?|modem|cable|node|adsl|dial
|dsl|client|(twcny|insight|tampabay|maine|nyc|nc|cinci)\.rr\.com|vc\.shawcab
le\.net|se\.client..?\.attbi\.com|\.(east|west)\.verizon\.net|(nj|sc)\.comca
st\.net|\.dis.net|\.charter.com|metropolis\-inter\.com)/i
describe MY_DSL Contains likely dsl address in header
score MY_DSL 2.0
