You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Marc Perkel <su...@junkemailfilter.com> on 2008/02/28 16:46:01 UTC

Using Name Based Hostkarma lookups in Spam Assassin

Here's something I'm doing that works really well and could be 
implemented in SA. And once it is done using my HostKarma list I'm 
hoping that this will be so successful that someone else will make an 
even better list than mine.

This trick is most effective for whitelisting but can be used for 
blacklisting and what I call yellow listing. It's not an IP based lookup 
but rather a host name based lookup using Forward confirmed RDNS.

Forward confirmed RDNS can't be spoofed. You look up the rDNS to get the 
host name. You then look up the host name to verify it points back to 
the same IP. If it does it's forward confirmed.

Then you look up the host name in the hostkarma list.

dig dxv05.wellsfargo.com.hostkarma.junkemailfilter.com

This returns 127.0.0.1 indicating the name is whitelisted. At that point 
I need not do any more tests. The message is ham.

The reason for adding this to SA is that if the data in the DNS is 
correct it is 100% accurate for matches. This not only eliminates false 
positives but reduces system load by skipping all other tests. And it is 
especially good for whitelisting because servers that send nothing but 
good email are stable and they don't change IP addresses and avoid 
detection like spammers do.

It also works very well on blacklists and what I call "yellow lists". 
Names like yahoo.com and hotmail.com are yellow listed which means that 
they are a mixed spam source and that the sending IP address has no 
information as to if it is spam or not. A yellow listed host name or IP 
address skips all other IP based tests and goes on to content testing. 
This eliminates these servers from accidentally being either white or 
black listed.

Another thing I do is if the host name is whitelisted then after the 
lookup I whitelist the IP address automatically so that IP based lookups 
see that same information. So when a wells fargo bank server sends me an 
email, I detect it is white from the hostname. But after I do that the 
IP address is added to the white list so that other people reading my 
white list will see the IP and allow it on their servers. This is why my 
IP based white lists are so accurate.

So - getting to the point. I'm doing this and it works. I'm trying to 
get others excited about this because I know that you will do it better 
than me. So I want the smart people here to think this through and 
improve it.



-- 
Marc Perkel - Sales/Support
support@junkemailfilter.com
http://www.junkemailfilter.com
Junk Email Filter dot com
415-992-3401