spf-discuss
[Top] [All Lists]

Re: related to "mxout": a 3-step antispam rule that stops zombie spam

2004-04-21 16:29:34
Meng Weng Wong wrote:

I would like to mention that our single most successful antispam
rule at Pobox is "does it look like a broadband host". We can tell if a
machine is a broadband host simply by checking if the hostname
contains the IP address. Broadband machines usually PTR to
something like

  6535215hfc174.tampabay.rr.com
  c-24-8-173-129.client.comcast.net

I use the same logic. With but a handful of regex rules to identify a rogue
broadband PTR, I literally reject thousands of spams a day. I make an
exception if the HELO string is a "normal" domain name, and that HELO string
resolves to the connecting IP (my reasoning is: people with a static IP who
went through the trouble of registering a domain name, deserve a little
extra credit).

I also use a very handy HELO test of my own design. And it is super
effective! When I have a valid HELO name and a valid PTR, I check to see
whether both end in a valid country-code TLD; and, if so, whether they
match. If not, I reject the message. Like so:

EHLO arti.vub.ac.be
--- 250-asarian-host.net Hello 217-162-19-122.dclient.hispeed.ch
[217.162.19.122], pleased to meet you

550 5.7.1 <mmaloneaj(_at_)onlinehome(_dot_)de>... Go away, spammer! 
[217.162.19.122]:
"Belgium" [.be HELO] != "Switzerland" [.ch PTR]

Like I said, it is extremely effective. Here, in Europe (the Netherlands), I
have noticed that spammers try and use domain names of your local country's
major ISPs (presumably in the hope you will have them whitelisted). In
America this rule might, therefore, do less for you; but, here in Europe, it
is a sure spam killer! And safe too. With a "granularity" of an entire
country difference, I have yet to see my first false positive. This rule
alone, and on its own, already stops over 60% of all spam.

Cheers!

- Mark

        System Administrator Asarian-host.org

---
"If you were supposed to understand it,
we wouldn't call it code." - FedEx