I was just dissecting a piece of clothing store spam that was posted to a technical mailing list I'm a member of. It turned out to be the usual Chinese shop spammer, registered with ename.com in China and with all contact details routed through hotmail.
However, the thing I hadn't seen before is that its IP, 208.115.216.98 resolves to 98-216-115-208.static.reverse.lstn.net So, is this a normal, expected reverse DNS result that I just haven't seen before or is it intended to trick MTAs into thinking that the reverse DNS lookup was successful? If the latter is the case, is there some way of writing a rule to detect it? Martin
