Per Jessen wrote:
Marc Perkel wrote:
1) Take the IP of the connecting host and do an RDNS lookup to get the
name.
2) Verify that the name that was looked up resolves to the same
IP address.
3) Look up the name in this dns list ===
example.com.hostdomain.junkemailfilter.com
4) if it returns 127.0.0.1 - it's ham
Lets say the sending host is 69.50.231.2
RNDS of 69.50.231.2 is 2.ctyme.com
Looking up 2.ctyme.com returns 69.50.231.2 ---- MATCH!
Lookup 2.ctyme.com.hostdomain.junkemailfilter.com - returns 127.0.0.1
- It's HAM!
That's all there is to it.
Uh, why?
How about this one:
Client IP is 213.200.218.50 - reverse lookup returns mail.specogna.ch.
Lookup mail.specogna.ch returns 213.200.218.50. Looks good.
Lookup mail.specogna.ch.junkemailfilter.com - (what does this tell me,
regardless of what it returns?)
But let's assume mail.specogna.ch.junkemailfilter.com does return
127.0.0.1 - it means nothing wrt ham/spam. That mail-server is
occasionally being used by a spambot sat on an internal machine at that
company.
/Per Jessen, Zürich
What I have is a database of a few thousand big domains who never send
spam. Banks, Credit Card compaines, airlines, and other big bisunesses.
Once the host is verified as not being spoofed RDNS then for example the
host is *.wellsfargo.com then it's from Wells Fargo Bank.
I'm using it with Exim now and about 80% of ham is identified this way
allowing me to bypass SA and reduce system load and improve accuracy.
