Print Page | Close Window

Possible feature request

Printed From: LogSat Software
Category: Spam Filter ISP
Forum Name: Spam Filter ISP Support
Forum Description: General support for Spam Filter ISP
URL: https://www.logsat.com/spamfilter/forums/forum_posts.asp?TID=5461
Printed Date: 22 February 2025 at 5:55pm


Topic: Possible feature request
Posted By: Terry
Subject: Possible feature request
Date Posted: 25 January 2006 at 5:45pm

We are getting a lot of spam coming in from obvious home dsl and broadband connections.  We believe that this is because of all the latest trojans out there.  The impact to us is that these are not yet blacklisted and therefore many get past the spamfilter and make it into our email system.  We notice that there are reverse dns entries for these machines and they seem to follow a common pattern.  The reverse dns entry has all the octets of the ip address originating the email......for example:

5/06 09:29:41:699 -- (2920) Resolving 24.30.57.153 - c-24-30-57-153.hsd1.ga.comcast.net
01/25/06 09:29:41:793 -- (2920) - SPF analysis for inrete.it done: - none
01/25/06 09:29:41:793 -- (2920) Mail from: mailto:ofwwte@inrete.it - ofwwte@inrete.it
01/25/06 09:29:41:949 -- (1756) Resolving 69.173.213.68 - 69-173-213-68.clvdoh.adelphia.net

Would it be possible to add a quarantine or block option to spamfilter to allow us to quarantine any email from a sender where each octet of their source ip address can also be found in the reverse dns name?  We think this would stop a ton of spam from getting past the filter. 

Terry

 


Replies:
Posted By: Desperado
Date Posted: 25 January 2006 at 6:38pm

Terry,

First, I agree with your assessment however, the IP you used in your example would have been blocked by combined.njabl.org dnsbl, Spamcop, Sorbs, Spamhaus and about a dozen other lists so would not that be a better plan?



-------------
The Desperado
Dan Seligmann.
Work: http://www.mags.net
Personal: http://www.desperado.com

Posted By: Guests
Date Posted: 25 January 2006 at 8:07pm

The ip's in the example were just that...an example...in fact one was blocked and one wasn't.  I just pulled them from the log to show the format I was talking about....

 

Terry

Posted By: Desperado
Date Posted: 25 January 2006 at 8:11pm

Terry,

What dnsbl's are you using ... several have dynamic / cable / home IP's on them.



-------------
The Desperado
Dan Seligmann.
Work: http://www.mags.net
Personal: http://www.desperado.com

Posted By: Guests
Date Posted: 25 January 2006 at 8:15pm

I am using these..

bl.spamcop.net, true
sbl.spamhaus.org, true
spam.dnsrbl.net, true
dnsbl.njabl.org, true

Terry

Posted By: Desperado
Date Posted: 25 January 2006 at 8:35pm

Terry,

I use:

sbl-xbl.spamhaus.org
dnsbl.sorbs.net
combined.njabl.org
bl.spamcop.net

Notice the slight diff in 2 lists.



-------------
The Desperado
Dan Seligmann.
Work: http://www.mags.net
Personal: http://www.desperado.com

Posted By: Guests
Date Posted: 26 January 2006 at 9:36am
I will try your settings on mine....however I still think that the feature might be worthwhile.

Posted By: Guests
Date Posted: 26 January 2006 at 9:51am

Okay...Dan...I have done a little more research and I see that this combined.njabl.org list does the dynamic ip address blocking I was asking for...I didn't know (or understand) that before...I appreciate the information.

Terry

Posted By: Desperado
Date Posted: 26 January 2006 at 10:33am

Terry,

It will not get all of them but should be an improvement.



-------------
The Desperado
Dan Seligmann.
Work: http://www.mags.net
Personal: http://www.desperado.com


Print Page | Close Window