I'm starting to see a (new to me) pattern of spam, and only spam, with PTR records consisting of a single dot, such as:Received: from ejru38.pindmosel.info (. [184.154.78.38] (may be forged))It doesn't appear that there is a stock rule yet to identify this particular case. RDNS_NONE matches, but I believe a more specific rule may be in order, or maybe even something at the MTA level if this pattern proves reliable. Has anyone else identified this pattern in their mail flow?
The PTR is set by the ISP, not the spammer. My guess would be that the
period for a PTR would be a policy of a particular network operator or
group of operators. So matching it in spam assassin would be scoring
messages on the ISP they came from rather than their spaminess.
- Single dot PTR Jason Bertoch
- Re: Single dot PTR Adam Moffett
- Re: Single dot PTR Jason Bertoch
- Re: Single dot PTR Benny Pedersen
- Re: Single dot PTR Jason Bertoch
- Re: Single dot PTR Jason Bertoch
- Re: Single dot PTR mouss
