How to know if I'm blacklisted

Glenn Steen glenn.steen at gmail.com
Mon Jan 28 19:55:32 GMT 2008


On 28/01/2008, Matt Kettler <mkettler at evi-inc.com> wrote:
> Glenn Steen wrote:
> > On 21/01/2008, Matt Kettler <mkettler at evi-inc.com> wrote:
> >> Glenn Steen wrote:
> >>> Yes. Exactly. One such invalidity is to use an email address syntax
> >>> (... at ....), which an amazing amount of spam senders use that.
> >>> One can argue about what is deemed a valid domain name, from a
> >>> syntactical viewpoint.... For instance, a bare word (xxxxx) isn't
> >>> syntactically correct either. Fortunate that the RFCs are pretty clear
> >>> on that too:-)
> >> I see a lot of spam and viruses with the bare hostname, but haven't seen any
> >> with the @ sign.. maybe I'll have to look harder..
> >>
> > I promised some figures, so here they are:
> > Yesterday I rejected 109 HELO/EHLO strings that contained an @.
> > Compare this to the 2687 rejects on a bare word HELO/EHLO, and it
> > doesn't seem much, agreed. But all simple things count;-).
>
> For follow-up,
>
> I found out why I'm not seeing any helo's with @'s in them. My sendmail rejects
> these by default, and doesn't even log a reject event.
>
> I have started using the bareword helo as a greylist criteria, which works
> pretty well.
>
> (I do selective greylisting, where only suspicious connections get greylisted.
> Since the effects of greylisting legitimate mail are only delays, I can be more
> aggressive than I can with blacklisting.)
>
> I implemented the helo filter back on the 24th.
>
> Since Sunday the 27th at 12am (roughly 36 hour period), I have the following
> message counts:
>
> 1818 were greylisted due to bareword hello
> 2681 were greylisted by domain or lack of reverse DNS.
> 535 were greylisted by IP address
> 1066 were greylisted due to being listed in various RBLs (these are too FP prone
> for blacklisting in my environment, but useful here)
> 6187 messages were greylisted (total, including odds and ends not listed above)
>
> 2850 messages were delivered without greylisting.
>
> 3 messages were delivered after being delayed that were not tagged as spam by
> SpamAssassin. (somewhat indicative of FP rate for the greylist, but might be a
> correct positive of the greylist, and a FN of spamassassin.)
>
> None of those 3 FPs were bareword helo's. (one was a FP of SORBS-DUL, and 2 were
> servers with generic ip-based reverse-dns)
>
Ah. The thing I love best about things like this (especially when one
can safely do rejects instead of slightly more costly things like a
greylist) is the minimal effort MY systems have to spend on it:-).

Cheers
-- 
-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se


More information about the MailScanner mailing list