How to know if I'm blacklisted

Matt Kettler mkettler at evi-inc.com
Mon Jan 28 18:22:32 GMT 2008 

Glenn Steen wrote:
> On 21/01/2008, Matt Kettler <mkettler at evi-inc.com> wrote:
>> Glenn Steen wrote:
>>> Yes. Exactly. One such invalidity is to use an email address syntax
>>> (... at ....), which an amazing amount of spam senders use that.
>>> One can argue about what is deemed a valid domain name, from a
>>> syntactical viewpoint.... For instance, a bare word (xxxxx) isn't
>>> syntactically correct either. Fortunate that the RFCs are pretty clear
>>> on that too:-)
>> I see a lot of spam and viruses with the bare hostname, but haven't seen any
>> with the @ sign.. maybe I'll have to look harder..
>>
> I promised some figures, so here they are:
> Yesterday I rejected 109 HELO/EHLO strings that contained an @.
> Compare this to the 2687 rejects on a bare word HELO/EHLO, and it
> doesn't seem much, agreed. But all simple things count;-).

For follow-up,

I found out why I'm not seeing any helo's with @'s in them. My sendmail rejects 
these by default, and doesn't even log a reject event.

I have started using the bareword helo as a greylist criteria, which works 
pretty well.

(I do selective greylisting, where only suspicious connections get greylisted. 
Since the effects of greylisting legitimate mail are only delays, I can be more 
aggressive than I can with blacklisting.)

I implemented the helo filter back on the 24th.

Since Sunday the 27th at 12am (roughly 36 hour period), I have the following 
message counts:

1818 were greylisted due to bareword hello
2681 were greylisted by domain or lack of reverse DNS.
535 were greylisted by IP address
1066 were greylisted due to being listed in various RBLs (these are too FP prone 
for blacklisting in my environment, but useful here)
6187 messages were greylisted (total, including odds and ends not listed above)

2850 messages were delivered without greylisting.

3 messages were delivered after being delayed that were not tagged as spam by 
SpamAssassin. (somewhat indicative of FP rate for the greylist, but might be a 
correct positive of the greylist, and a FN of spamassassin.)

None of those 3 FPs were bareword helo's. (one was a FP of SORBS-DUL, and 2 were 
servers with generic ip-based reverse-dns)

More information about the MailScanner mailing list