On 09/12/10 22:43, John Hardin wrote: > On Thu, 9 Dec 2010, Cedric Knight wrote: > >> It appears that a client can easily set up hosting using cPanel or >> something without ever setting the rDNS or hostname to anything other >> than the numeric default. > > Is there anything in the headers that indicates cpanel is in use?
Not really, unfortunately. The only way I know is that the host's public webpages mention both cPanel and Plesk as available features. To clarify a little more, both the false positive samples I have are from small organisations, with apparently just one dedicated or virtual server apiece at UKFast, used primarily as a web server. One sample is from X-Mailer: Drupal and the other is X-Mailer: PHPMailer [version 1.72] The only commonality is that the last Received line is of the form: Received: (qmail \d+ invoked by uid \d+); [$DATE] which might also hit anything that had been through Yahoo or Messagelabs. > Perhaps a meta on cpanel + dynamic-looking-rDNS would be worth a > negative point or two... This is about 9-11 points to offset, though. Maybe there's no way of doing a negative rule that spammers couldn't abuse. The exclusion could be generalised by having certain HELO strings stop the HELO_DYNAMIC_* firing: HELO_STATIC_HOST currently only has provision for "rogers.com" and only neutralises HELO_DYNAMIC_IPADDR, HELO_DYNAMIC_DHCP, HELO_DYNAMIC_HCC. That could be extended to the rules involved in this case, and certain strings like "static|fixip|\bse?rv|mx" (and not "pool|dsl", although some people even unwisely run their office exchange server on something with "dsl" and a string of numbers in the rDNS). These are valuable rules, and hosts should indeed ensure they or their users set authentic-looking HELOs. How about scanning through mail or logs for messages that hit at least 2 of the HELO_DYNAMIC rules and RCVD_NUMERIC_HELO, but are otherwise hammy? Looking at HELO_DYNAMIC_SPLIT_IP closely, I'm pretty sure it was never intended to overlap with RCVD_NUMERIC_HELO. I'll file a bug. CK
