on Wed, Dec 01, 2004 at 02:41:00PM -0500, Valdis.Kletnieks@vt.edu wrote:
On Wed, 01 Dec 2004 13:16:49 EST, Steven Champeon said:
FWIW, 40% or more of the inbound spam mail here comes from hosts with a generic rDNS naming convention (even after DNSBLs and other obvious forgery checks such as hosts using my domain(s)/IP(s) in HELO/EHLO). We simply quarantine any mail from hosts without rDNS at all, and reject all mail from non-whitelisted generic hosts.
Any issues with dealing with the distinction between (for instance) FOO.generic.BAR.(com|net|org) (where generic is the 3rd level) and FOO.generic.BAR.co.uk (where it's a level further down)? Similarly, do you just treat all of *.info or *.biz as a generic swamp? Any other TLD-related issues you've identified in counting up that 40%?
Well, for various reasons I maintain a database of some ~7K or so naming conventions and run my matches against all of them (using a TLD-based right-to-left sort, but still, I know it can be done more efficiently). The practice stems from the days (5/03) when I'd only mapped some 1500 or so conventions. The access.db checks are done right-to-left, too, so Connect:dhcp.vt.edu ERROR:5.7.1:"550 go away, dynamic user" Wouldn't catch 1.2.3.4.dhcp.vt.edu.example.com anyway. All of my matches are currently done on the whole rDNS hostname string, not on a subset, though I'm moving towards a left-anchored subset as it cuts my live pats down from ~7K to ~3200 or so. (e.g., refusing mail from hosts with names like ^h[0-f]{8}\. instead of checking all of the pats that start with h[0-f]{8}). I've got a list of the most common 100 or so left-anchored pat subsets, and hope to put them into practice here soon. So I may have more feedback then. I don't simply treat info/biz as a swamp in practice, no - despite the fact that they're obviously pretty well flooded and swarming :/ So, no TLD-related issues of the sort you seem interested in. -- hesketh.com/inc. v: +1(919)834-2552 f: +1(919)834-2554 w: http://hesketh.com join us! http://hesketh.com/about/careers/account_manager.html join us!