On 2010/12/29 11:42 AM, Adam Moffett wrote:
In the sited example, yes, the PTR is set by the ISP and not delegated to the spammer, but a pattern is a pattern and that's what we're here for. Plus, for all we know, the ISP has a web interface for setting PTR records rather than using delegation.In the cited example, I picked a few others IP's at random that were in the same /16 and they all had a period for a PTR record. I think you would just score up anything that came from that ISP.
I understand that a rule of this type will likely penalize an ISP if it is their policy for PTR records, but I've not seen the volume of this pattern in the past that I'm seeing now. In my case, 100% has been spam and has sourced from numerous address blocks, not just a single ISP.
If that ISP is a consistent source of spam they'll end up in one or more of the RBL's and the message will already get scored up.
While many of these are already flagged by BL's, not all are. Plus, we wouldn't need SA at all if we sat back and waited for BL's to identify and block for us.
I'm not trying to be a killjoy, I just find it hard to believe that the period PTR is meaningful. I've been wrong once or twice though.
I understand. The intent of the original question was to see if anyone else had identified this pattern and found it useful or had any ham from an unfortunate configuration like this.
-- /Jason
smime.p7s
Description: S/MIME Cryptographic Signature
