[Mimedefang] Re: $RelayHostname not matchingsendmail's Receivedheader?
Scott Silva
ssilva at sgvwater.com
Mon Dec 11 11:40:51 EST 2006
WBrown at e1b.org spake the following on 12/11/2006 8:11 AM:
> Jeff wrote on 12/09/2006 04:57:51 PM:
>
>> So, when my server sends e-mail, it uses "saber.nabs.net" as its
>> "EHLO", and the connection comes from 71.246.216.107. "host
>> saber.nabs.net" returns 71.246.216.107, which is the same IP that the
>> connection comes from. So far, so good.
>>
>> But, "host 71.246.216.107" returns:
>> static-71-246-216-107.washdc.fios.verizon.net.
>>
>> This hits on just about every "is this a generic rDNS" regex. But, as
>> you can see by the name, it's not likely to be a dialup/dynamic, etc.
>>
>> So, I vote for any change to the Botnet code that ends up with my type
>> of situation (which is pretty much what Jan-Pieter was also describing)
>> not getting rejected.
>
> Since many home dialup/DSL/Cable users that want to connect to their AUP
> violating servers at home use free dynamic DNS services, I have a proposal
> to help seperate them from the legit servers like Jeff describes.
>
> The free dynamic DNS servers usually have very short TTL values, and
> presumably, a legitimate server like saber.nabs.net has a more reasonable
> (greather than 2 hour) value. By checking the TTL, you can help weed out
> the bogus servers without blocking small business mail servers on DSL/etc
> connections.
>
> Another test might be to see who hosts their DNS, but that might be more
> problematic. If it is a known free, dynamic DNS server, regardless of
> TTL, would that be a spam indicator?
That is why I don't score botnet as high as the default. I want the actual
mail content to contribute something to its being tagged.
That way if I get a botnet hit at say 2.0, either a bayes_99 or a hit on a
digest will send it way over. But if it hits only botnet, and nothing else, it
can pass. I score low spam at 3, so a score of 2.0 in the botnet meta rule
gets it close. I would sugjest that the botnet meta rule would have its name
extended slightly, so a grep for its name doesn't hit all the botnet rules
without having to egrep with a regex. Maybe botnet_meta or something like that.
I think I have enough good rules that score well, but I like the extra
percentage that I can get with this plugin.
--
MailScanner is like deodorant...
You hope everybody uses it, and
you notice quickly if they don't!!!!
More information about the MIMEDefang
mailing list