Quoting List Mail User <[EMAIL PROTECTED]>:
Looks like I slightly over estimated. I just checked the last
40 spams I received. After ignoring 419s, stock pumps and phishing I
found 14 without wildcards and 21 with - exactly 60% (only one had a
'CNAME' wildcard, the rest were all 'A' record wildcards). Much to my
surprise, I tested them all and of the 21 wildcards, 13 used "www.subdomain"
to match the wildcard. I've never seen a case of a valid domain using
them for 'A' or 'CNAME' records, but I can think up (admittedly marginal)
cases where an administrator might want to for a subdomain of a SLD - I
can't come up with a single reason to use them on a SLD itself, but maybe
someone else can.
So the answer looks like 60% with 0% FPs. (But what I get is
very biased because of the large amount of filtering at both the MTA
level and in front of SA.) If a few other people could test and report
that would probably be helpful.
Short test of 100 known spam messages shows that 10% of them contain
wildcards,
however, any "www" was stripped off before checking for wildcards (so
name.domain.com would check *.domain.com and www.name.domain.com checks
*.domain.com, although this isn't yet a perfect filter). Anything
that didn't
have a wildcard was checked by resolving and feeding to spamhaus which got
another 85%. The last 5% was not detected as being spam, however this was a
quick test so I may have missed quite a few hosts from sloppy regexs.
I'll do a larger test of spams (downloading about 6500 now), and also
check the
ham, and some unfiltered stuff much later.
-- Evan
