Johan Almqvist wrote:
On 24. jan. 2010, at 12.28, Peter J. Holzer wrote:
See http://enemieslist.com/how/use.html
(The front page says this is "not currently available for public use",
but it seems to be)
For example, if the client sends EHLO smtp28.orange.fr (taken from a
random spam message), you query smtp28.orange.fr.g.enemieslist.com.
and get back
smtp28.orange.fr.g.enemieslist.com. 21600 IN A 127.0.2.11
127.0.2.11 means "legitimate mail source", so in this case enemieslist
wouldn't have helped to detect the spam.
Wrong tool for determining spam from that IP.
EL's intent is to classify domain-ish rDNS and helo strings as to
whether they're dhcp-ish, SMTP-server-ish, host-ish, web server-ish,
cable-ish, adsl-ish, etc.
The idea being that if you can use EL's return codes to tweak your
filtering. Eg: Something using SMTP server names is less likely to be
spam than something using DHCP patterning. You can key these to
different SpamAssassin scores.
For example, triggering on EL's "dynamic" return codes is roughly
equivalent to using a rather more accurate DUL than most DULs.
EL is capable of delivering far more sophisticated filtering information
than plain DNSBLs are. In particular, making EL dynamic hits on HELO
strings is remarkably successful with fewer FPs than NXDOMAIN or on rDNS.
Using an EL-specific plugin is only making limited use of the potential
of EL. You're unlikely to use much more than asking EL "does this FQDN
represent a dynamic IP?" in either HELOs or rDNS (see above).
You get much more of EL's capabilities if used in something like
SpamAssasin, where you assign different scores (possibly negative)
depending on what EL return you get.
As far as I understand the docs http://enemieslist.com/how/use.html you could have queried the more
specific smtp28.orange.fr.h.enemieslist.com. for the EHLO name, where "h" is HELO/EHLO
instead of "g" for generic.
I don't quite see the point of the "g" service anyhow since it is based on
FQDN's - wouldn't it be more practical (simpler, faster, more reliable) to query the IP
when you're interested in the identity of the connecting host (because as I understand
it, Enemieslist is *not* a list for right-hand sides of e-mail addresses).
You're asking EL what kind of device that FQDN is (eg: dynamic pool),
not whether the corresponding domain name is "bad".
Also when I query it i get
calrissian.bsws.de.h.enemieslist.com. 0 IN A 67.215.65.132
and even
gmail.com.h.enemieslist.com. 0 IN A 67.215.65.132
Someone's screwing with your DNS. You'll probably have the same problem
with ordinary DNSBLs. Use a better DNS service.
