Jason Haar wrote: > HOST_EQ_D_D_D_D isn't part of standard SA - where did that come from? >
It appears to come from: http://www.rulesemporium.com/rules/88_FVGT_headers.cf header HOST_EQ_D_D_D_D X-Spam-Relays-Untrusted =~ /^[^\]]+ rdns=[^ ]+\d{1,3}[^0-9]\d{1,3}[^0-9]\d{1,3}[^0-9]\d{1,3}[^ ]+ / score HOST_EQ_D_D_D_D 0.665 #counts HOST_EQ_D_D_D_D 10886s/231h of 41745 corpus (34134s/7611h FVGT) 03/29/06 header HOST_EQ_D_D_D_DB X-Spam-Relays-Untrusted =~ /^[^\]]+ rdns=\d{1,3}[^0-9]\d{1,3}[^0-9]\d{1,3}[^0-9]\d{1,3}[^ ]+ / score HOST_EQ_D_D_D_DB 0.888 #counts HOST_EQ_D_D_D_DB 4324s/71h of 42070 corpus (34144s/7926h FVGT) 04/19/06 >From the looks of it they're detecting untrusted relays which reverse-dns names which are of the typical host-208-39-141-94.example.com format for dynamic hosts.
