Marc Perkel wrote:
John Rudd wrote:
Loren Wilton wrote:
the last byte of the return is a number from 1-255. This is the hosts
1 means "not only have we never seen ham come from this host, it has
all kinds of danger signals that indicate you shouldn't ever trust
them to do anything useful".
You probably really need one bit somewhere that says "this is a
client PC" or something like that.
If you think about it, the average home PC that is a zombie sends
absolutely nothing but spam to everyone but its owning ISP, so
deserves a 1 rating by your posited rule. But the owning ISP also
see actual legit mail from the clueless owner of the system that has
no idea that the PC is sending zillions of spam messages every second
while he is uploading pictures from his most recent party. So the
owning ISP will want to rate that PC as somewhere between 255 and 2.
There needs to be some way to resolve the fact that one major ISP
sees this as a slightly valid system, but everyone else sees it as
absolute junk.
I think this is already a solved problem.
Most MTAs already have an ability to whitelist local/client IPs. So,
the bit in question wouldn't be necessary. You tell Sendmail, via the
access file, that this is an "OK" block of network addresses, and use
delayed checks for RBLs ... now sendmail wont block those addresses.
With CGP, you tell CGP that it's a "client" address range, and same
thing (or, if you do this via a CGP plugin, then you only submit
messages to the CGP plugin if they're "not trusted").
I would imagine that postfix, qmail, etc., all have similar constructs
... otherwise, they're extremely deficient in their RBL handling.
For SA, if I were to write a plugin for this type of thing, it
wouldn't trigger against IPs that are in my trusted_networks.
One feature that would be nice is to take advantage of the yellow
listing in my hostkarma dns list. Yellow listing means that the source
is a mixed source that sends some spam. (yahoo, hotmail, gmail) and the
idea is that if it is tellow listed to stop checking other blacklists.
This reduces false positives and reduces network calls.
It is my hope that someone steal my idea of doing these lists the way I
do and do a better job of it than me. I have some really simple ways of
generating these lists that are extremely accurate.
A host you would yellow list would be a host that would show up in this
proposed list with a middling score, I think. I don't think there'd be
any other need to link the two concepts.
