In message <20050831233553.GA589@???>, Wakko Warner
<wakko@???> writes
>Please keep me in CC
many of the regular list posters feel otherwise ... it's much simpler to
just live with what happens
http://www.exim.org/eximwiki/MailingListEtiquette
there's always the list archives on the web if you miss things
>> BTW you'd need to time out entries over some sort of fairly short period
>> to avoid being caught out by ISPs renaming their cluster machines... :)
>
>I hadn't thought of this, however how often does it happen.
on the planet, regularly; to you, seldom
> I'd say if an
>ISP did this, they would notice rather quickly.
they'd know they'd done it... you must mean that _you'd_ notice. Yes,
you'd have rejected some email that you now regret never receiving
that's why making firm decisions on heuristics is problematic; and if
you must do it you need to be as flexible and responsive as possible
>An alternative would be to
>bypass this check if the HELO resolves to the connecting IP. I've seen spam
>with an HELO of the hostname of the zombie according to DNS so that wouldn't
>work all that well either.
it would work poorly -- I regularly see more accurate HELOs from malware
than from the customer's own mailing system :(
That said, there is a lot of malware that doesn't even try to get it
right -- but overall I think this would be a poor heuristic.
In fact, if the malware gets the HELO right and the customer gets it
wrong then when you received email from both instantiations of this IP
address (as might well be the case for malware raiding address books)
you'd make absolutely the reverse of the correct decision :(
>If just everyone had a router and a private IP, it
>would be much easier to block based on this.
Fantasize as you wish; I deal in the real world :)
- --
richard Richard Clayton
They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety. Benjamin Franklin
