Re: Enemieslist (was: badmailfrom "per domain")

Sun, 24 Jan 2010 09:30:48 -0800 

On 2010-01-24 15:49:35 +0100, Johan Almqvist wrote:
> 
> On 24. jan. 2010, at 12.28, Peter J. Holzer wrote:
> > See http://enemieslist.com/how/use.html
[...]
> > For example, if the client sends EHLO smtp28.orange.fr (taken from a
> > random spam message), you query smtp28.orange.fr.g.enemieslist.com.
> > and get back
> > 
> > smtp28.orange.fr.g.enemieslist.com. 21600 IN A  127.0.2.11
> > 
> > 127.0.2.11 means "legitimate mail source", so in this case enemieslist
> > wouldn't have helped to detect the spam.
> 
> As far as I understand the docs http://enemieslist.com/how/use.html
> you could have queried the more specific
> smtp28.orange.fr.h.enemieslist.com. for the EHLO name, where "h" is
> HELO/EHLO instead of "g" for generic.

Right. I tried both (same result) and then posted about the wrong one.

> I don't quite see the point of the "g" service anyhow since it is
> based on FQDN's - wouldn't it be more practical (simpler, faster, more
> reliable) to query the IP when you're interested in the identity of
> the connecting host (because as I understand it, Enemieslist is *not*
> a list for right-hand sides of e-mail addresses).

AIUI enemieslist uses patterns in the host names for classification. If
the client sent the IP address to the server the server would then have
to do a PTR lookup to get the name. Letting the client do the PTR lookup (which 
it
almost certainly does anyway) reduces latency and traffic.

Also the host name may be a more meaningful identity than the IP
address.

> Also when I query it i get
> 
> calrissian.bsws.de.h.enemieslist.com. 0 IN A    67.215.65.132
> and even
> gmail.com.h.enemieslist.com. 0  IN      A       67.215.65.132
> 
> Anyone know what that means?

It means that opendns.com is evil:

132.65.215.67.in-addr.arpa. 3600 IN     PTR hit-nxdomain.opendns.com.

        hp


-- 
   _  | Peter J. Holzer    | Openmoko has already embedded
|_|_) | Sysadmin WSR       | voting system.
| |   | h...@hjp.at         | Named "If you want it -- write it"
__/   | http://www.hjp.at/ |  -- Ilja O. on commun...@lists.openmoko.org

Attachment: signature.asc
Description: Digital signature

Reply via email to