On 2/25/11 4:04 PM, David F. Skoll wrote:
That quotes RFC 2142, which is only a proposed standard. rfc-ignorant.org
is pretty well known for being... how to put this delicately... aggressive.
'back in the day', if an isp/email provider or luser did not have a
postmaster and abuse account, it was pretty much a sign they didn't want
to know about abuse, or were ignorant at best, and it was a fairly good
sign that the domain could product larger then normal amounts of spam.
Today, well, yes, they are ignorant, but they also don't have proper
RDNS, helo's are the default windows internal server name, don't know to
set up a postmaster and abuse account that is read by anyone, and if
they did, all they get is spam.
(yes, we have them, and all we get is spam to them)
bogus mx is still a good sign of something wrong (although for a while
there one of the large hosted email providers was listed because they
had their clients use cnames as mx records).
bad dns (where people stop allowing null sender), is iffy. lots of
companies block null sender (and postmaster/mailer-daemon) due to abuse
by sender callouts, so you really can't use that list anymore.
whois list. well, lots of folks got tired of spammers sending email to
the whois contact so they don't list valid names, or use some
obstrusificaiton.
The world changes. where rfc-ignorant was very useful at one time, even
being used in preque/mta checks it has mostly lost its relevance.
As for SA, it wasn't political. the nightly mass checks did not show
much of a difference on spam vs ham for domains with/without postmaster
or abuse addresses, so that is why the default scores are they way they
are: (and I would almost say, just drop dns_from_rfc_dsn and
rfc_abuse_post, but they cost almost nothing.. I mean.. .001 points for
having a missing abuse and a missing postmaster? that is every default
exchange install, isn't it? buts its only .001 points.
50_scores.cf:score DNS_FROM_RFC_BOGUSMX 0 1.464 0 1.668 # n=0 n=2
50_scores.cf:score DNS_FROM_RFC_DSN 0 0.001 0 0.001 # n=0 n=2
72_scores.cf:score RFC_ABUSE_POST 0.001 0.001 0.001 0.001
So, with the exception of bogusmx (again, you have companies with cnames
for mx listed), the rest are not very useful.
to kill them all, this should do it. It should prevent the original dns
lookup, and then none of the other tests will ever pass.
meta __RFC_IGNORANT_ENVFROM (0)
for completeness, you can include:
score DNS_FROM_RFC_BOGUSMX 0
score __DNS_FROM_RFC_POST 0
score __DNS_FROM_RFC_ABUSE 0
score __DNS_FROM_RFC_WHOIS 0
score DNS_FROM_RFC_DSN 0
score DNS_ABUSE_POST 0
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
ISN: 1259*1300
>*| *SECNAP Network Security Corporation
* Certified SNORT Integrator
* 2008-9 Hot Company Award Winner, World Executive Alliance
* Five-Star Partner Program 2009, VARBusiness
* Best in Email Security,2010: Network Products Guide
* King of Spam Filters, SC Magazine 2008
______________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(r).
For Information please see http://www.secnap.com/products/spammertrap/
______________________________________________________________________
