> -----Original Message----- > From: Chris Santerre [mailto:[EMAIL PROTECTED] > Sent: Friday, October 31, 2003 10:21 AM > To: 'Patrick Morris'; Steven Manross > Cc: SA Mailing list > Subject: RE: [SAtalk] Rule for reverse lookup similarities > > > > > > > Steven Manross wrote: > > > > >I'm seeing a few/lot of spam that has a reverse lookup name > > that is like the > > >originating IP. > > > > > >i.e. If it were 192.168.52.45 that was the originating IP, > > the reverse > > >lookup might be 192-168-52-45-clients.domain.com > > > > > > > > This is a *very* common naming convention for ISPs that > > assign dynamic > > IPs. You'll get a *lot* of false positives if you score > > based on that. > > > > I agree, however it can be very usefull. IN the link in my > sig, go to header (other) section. Search for MY_DSL rule. This has > been working very well. > > Bah! Here it is! > > header MY_DSL Received =~ > /\.atlantabroadband\.com|customer|ppp|poole?s?|modem|cable|node| > adsl|dial|dsl|client|(insight|tampabay|maine|nyc|nc| > cinci)\.rr\.com|vc\.shawcable\.net|se\.client..?\.attbi\.com| > \.(east|west)\.verizon\.net|(nj|sc)\.comcast\.net|\.dis.net| > \.charter.com|metropolis\-inter\.com/i > describe MY_DSL Contains likely dsl address in header > score MY_DSL 3.0 > > However I wish to change it to a meta rule and hook it with > something else. This rule would actually hit mail from my own > domain. The problem is legit businesses using DSL and the ISP not > giving proper rDNS. Also the problem is I'm not sending my mail > thru my ISP's mail servers.
You might want to consider consider verifying that it is directly connecting to your host rather than on any Received line. There should be far less traffic from dynamic or broadband sources that directly connect to your host than broadband/dynamic users sending legitimate messages. header MY_DSL Received =~ /from (your test).*by host.my.domain/ describe MY_DSL Contains likely dsl address in header score MY_DSL 3.0 --Larry ------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ _______________________________________________ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
