[spambayes-dev] Results for DNS lookup in tokenizer

Matthew Dixon Cowles matt at mondoinfo.com
Sat Apr 10 23:19:29 EDT 2004

Dear Skip,

> Doesn't mine_received_headers work for you?  I've got lots of
> tokens in my database like:

>     received:65.248
>     received:65.248.59
>     received:
>     received:
>     received:

> which records all the possible fragments of the ip addresses
> through which the mail moves.

I expect that it would help most of the time, but it's not what I
wanted to do. Some of the addresses that I read go through different
SMTP servers. In particular, there are two servers that receive mail
for a webmaster address, a postmaster address, and an ARIN contact
address that I read. Those addresses get almost nothing but spam, but
I need to get what little legitimate mail does get sent to them.
Using mine_received_headers, I'd have a very strong spam clue that
was really for the wrong reason. Whether that one clue would push the
legitimate mail that I get at those addresses into the wrong bucket
is hard for me to tell since I don't get enough legitimate mail sent
to them to be able to perform much of an experiment.

In addition, my unscientific poking at recent spam suggests to me
that spam is sent to my servers from a lot of different places. But
the sites spamvertized tend to be on a much smaller number of
networks. It seems that it's easier for a spammer to find a
compromised PC to relay though than it is for them to find someone
willing to host a their site.

For example, looking though my logs for this evening, I find four
spams that advertise seemingly unrelated products but which have URLs
that resolve to addresses within the same /24 in China.


More information about the spambayes-dev mailing list