On 24. jan. 2010, at 12.28, Peter J. Holzer wrote: > See http://enemieslist.com/how/use.html > > (The front page says this is "not currently available for public use", > but it seems to be) > > For example, if the client sends EHLO smtp28.orange.fr (taken from a > random spam message), you query smtp28.orange.fr.g.enemieslist.com. > and get back > > smtp28.orange.fr.g.enemieslist.com. 21600 IN A 127.0.2.11 > > 127.0.2.11 means "legitimate mail source", so in this case enemieslist > wouldn't have helped to detect the spam.
As far as I understand the docs http://enemieslist.com/how/use.html you could have queried the more specific smtp28.orange.fr.h.enemieslist.com. for the EHLO name, where "h" is HELO/EHLO instead of "g" for generic. I don't quite see the point of the "g" service anyhow since it is based on FQDN's - wouldn't it be more practical (simpler, faster, more reliable) to query the IP when you're interested in the identity of the connecting host (because as I understand it, Enemieslist is *not* a list for right-hand sides of e-mail addresses). Also when I query it i get calrissian.bsws.de.h.enemieslist.com. 0 IN A 67.215.65.132 and even gmail.com.h.enemieslist.com. 0 IN A 67.215.65.132 Anyone know what that means? -J
