Lloyd Zusman wrote:
I would like to mention that our single most successful antispam
rule at Pobox is "does it look like a broadband host". We can tell
if a machine is a broadband host simply by checking if the hostname
contains the IP address. Broadband machines usually PTR to
something like
6535215hfc174.tampabay.rr.com
c-24-8-173-129.client.comcast.net
I use the same logic. With but a handful of regex rules to identify a
rogue broadband PTR, I literally reject thousands of spams a day.
[ ... ]
This seems like a great idea, and I'd like to start doing the same
filtering. I don't know much about broadband PTR's, and it would save
me a lot of learning time if you would be willing to share your regex
rules. Would you be willing to do this? I'm sure that others would
like to see your rules, as well.
Checking my code, it turns out it is actually but a single regex. :) (the
code around is just exempting rules). It will undoubtedly wrap in this
email; so, unwrap it first before using it!
/\b[a-z]*?(\d{1,3}[.-]\d{1,3}[.-]\d{1,3}|([a-z]?dsl(am)?|dhcp|tnt|ipt|pool|n
as|cvx|leased|slip|subscriber|d[iu]p|modem(cable)?|ppp(oe)?|dyn(amic)?|dial(
up)?|cust(omers?)?|(end)?users?|d?cliente?)\d*?)\b/i
Mind you that matches are within boundaries; so it is not as rigid as it may
seem. For instance, looking at "pool", this will not match
"poolcleaners.com", but it WOULD match "pool-34.yaddaydda.com".
Let me reiterate, that you should NOT use this regex, stand-alone, without
further checks. You will typically need to exempt your own whitelists,
authenticated users, etc; and, like I did, you may want to exempt a PTR if
the HELO string is a regular domain name, and resolves to the connecting IP.
And, last but not least, you may want to exempt SPF enabled addresses. :)
Cheers!
- Mark
System Administrator Asarian-host.org
---
"If you were supposed to understand it,
we wouldn't call it code." - FedEx