... unless it's coming from your localnet. Local clients in the IP space "You Own" should get a bit more slack. IMHO.
Aloha, Michael. -- Michael J Wise | Microsoft | Spam Analysis | "Your Spam Specimen Has Been Processed." | Got the Junk Mail Reporting Tool ? -----Original Message----- From: mailop [mailto:mailop-boun...@mailop.org] On Behalf Of Michelle Sullivan Sent: Tuesday, April 19, 2016 7:01 AM To: mailop@mailop.org Subject: Re: [mailop] "Spammer TLDs" and IP addresses without a reverse? Petar Bogdanovic wrote: > On Tue, Apr 19, 2016 at 11:19:57AM +0200, Renaud Allard via mailop wrote: >> On 04/19/2016 09:15 AM, Michelle Sullivan wrote: >>> As well... ;-) (and for those that don't get it... the host issued 'HELO >>> [65.55.234.213]' or 'EHLO [65.55.234.213]' .. perfectly legal but >>> something malware and bots do as well.. >> While HELOing like this that might be perfectly "legal", this is >> something which is probably going to be blocked as well by many/most >> servers. > I gave up on valid/consistent HELOs a long time ago. > > Minor indication of spaminess? Yes. Reason for rejection? Nope. :) > Depends... I have a rather large database of spam and here's what I can tell you from that database and my experience over the years: Unqualified IP in HELO (ie missing the []) - no false positives.. all 100% spam or viruses. Qualified IP in HELO minor indicator of spaminess if 'ESMTP' exists in the server's banner (as likely the host just doesn't support outgoing ESMTP or is sitting behind a PIX like device still!) Qualified IP in EHLO reasonable indicator of spaminess if 'ESMTP' does not exist in the server's banner. (yes this still works, anyone trying to ESMTP to a host that doesn't support it is a reasonable bot/mass mailer indicator...) 'localhost' in HELO/EHLO and not from yourself is a high indicator of spaminess (few FPs, and usually "don't care" about who they are.) Any other problems like HELO/EHLO not being FQDN, not matching the host, not existing etc... I'll usually 4xx or ignore (e.g. ignore for not matching, 421 for not existing... etc.) Regards, -- Michelle Sullivan https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fwww.mhix.org%2f&data=01%7c01%7cmichael.wise%40microsoft.com%7c366a8c2e2bb0442d2a5508d3685cbda2%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=q2%2fnmkxTVXE4gLQ1msi08kvR%2f1iH9T01GyyQ3rJskis%3d _______________________________________________ mailop mailing list mailop@mailop.org https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fchilli.nosignal.org%2fcgi-bin%2fmailman%2flistinfo%2fmailop&data=01%7c01%7cmichael.wise%40microsoft.com%7c366a8c2e2bb0442d2a5508d3685cbda2%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=2QmUxC1COTrqWQl%2fosjpSh8gTgBDJFo2Th%2fbXr3ySUo%3d _______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
