[ On Monday, January 26, 2004 at 12:55:13 (+0000), Glenn Carver wrote: ]
> Subject: [Exim] Scanning Received: headers for Dialups
>
> I've been looking at the spam still getting through our filters and
> most of it is from dialups not listed in the DNSBLs.
>
> I noticed that it is common for dialup lines to have names with many
> '-'s in them.
> e.g.
>
> Received: from [80.162.59.221] (helo=x1-6-00-00-b4-5a-56-60.k250.webspeed.dk)
>
> I was wondering whether a workable spam filter would be one which
> checked the last listed Received: header for a string which included
> (say) 4 '-'s in the leftmost part of the domain.
>
> Would this approach work as a way of identifying dialups?
You should probably be looking at the rDNS name in an ACL that triggers
during the HELO/EHLO command, and not try to do this after you've
already received the message, accepted responsibility for delivering it,
and have created a local "received:" header for it, especially if you're
already using DNSBLs to block connections.
You should probably also have a look at some of the existing DNSBLs to
learn how they recognize possible dialups and then try inventing better
regular expressions to recognize the ones they fail to recognize.
In this example, if I'm not mistaken, all "[a-z][0-9]+\.webspeed\.dk"
hostnames are client systems that you don't want to accept connectoins
from.
--
Greg A. Woods
+1 416 218-0098 VE3TCP RoboHack <woods@???>
Planix, Inc. <woods@???> Secrets of the Weird <woods@???>
