Re: Enemieslist

Johan Almqvist wrote:
> On 24. jan. 2010, at 12.28, Peter J. Holzer wrote:
>> See http://enemieslist.com/how/use.html
>>
>> (The front page says this is "not currently available for public use",
>> but it seems to be)
>>
>> For example, if the client sends EHLO smtp28.orange.fr (taken from a
>> random spam message), you query smtp28.orange.fr.g.enemieslist.com.
>> and get back
>>
>> smtp28.orange.fr.g.enemieslist.com. 21600 IN A  127.0.2.11
>>
>> 127.0.2.11 means "legitimate mail source", so in this case enemieslist
>> wouldn't have helped to detect the spam.

Wrong tool for determining spam from that IP.

EL's intent is to classify domain-ish rDNS and helo strings as to 
whether they're dhcp-ish, SMTP-server-ish, host-ish, web server-ish, 
cable-ish, adsl-ish, etc.

The idea being that if you can use EL's return codes to tweak your 
filtering.  Eg: Something using SMTP server names is less likely to be 
spam than something using DHCP patterning.  You can key these to 
different SpamAssassin scores.

For example, triggering on EL's "dynamic" return codes is roughly 
equivalent to using a rather more accurate DUL than most DULs.

EL is capable of delivering far more sophisticated filtering information 
than plain DNSBLs are.  In particular, making EL dynamic hits on HELO 
strings is remarkably successful with fewer FPs than NXDOMAIN or on rDNS.

Using an EL-specific plugin is only making limited use of the potential 
of EL.  You're unlikely to use much more than asking EL "does this FQDN 
represent a dynamic IP?" in either HELOs or rDNS (see above).

You get much more of EL's capabilities if used in something like 
SpamAssasin, where you assign different scores (possibly negative) 
depending on what EL return you get.

> 
> As far as I understand the docs http://enemieslist.com/how/use.html you could have queried the more specific smtp28.orange.fr.h.enemieslist.com. for the EHLO name, where "h" is HELO/EHLO instead of "g" for generic.
> 
> I don't quite see the point of the "g" service anyhow since it is based on FQDN's - wouldn't it be more practical (simpler, faster, more reliable) to query the IP when you're interested in the identity of the connecting host (because as I understand it, Enemieslist is *not* a list for right-hand sides of e-mail addresses).

You're asking EL what kind of device that FQDN is (eg: dynamic pool), 
not whether the corresponding domain name is "bad".

> Also when I query it i get
> 
> calrissian.bsws.de.h.enemieslist.com. 0 IN A    67.215.65.132
> and even
> gmail.com.h.enemieslist.com. 0  IN      A       67.215.65.132

Someone's screwing with your DNS.  You'll probably have the same problem 
with ordinary DNSBLs.  Use a better DNS service.

• check_spamhelo per domain by Christian Herndler
• NiX Spam Blacklist - was: Re: check_spamhelo per domain by Ernesto
• badmailfrom "per domain" (was: check_spamhelo per domain) by Johan Almqvist
• Re: badmailfrom "per domain" by Matt Sergeant
• Re: badmailfrom "per domain" by Robin Bowes
• Re: badmailfrom "per domain" by Peter J. Holzer
• Enemieslist (was: badmailfrom "per domain") by Johan Almqvist
• Re: Enemieslist by Chris Lewis
• Re: Enemieslist by Johan Almqvist
• Re: Enemieslist by Robert Spier
• Re: Enemieslist (was: badmailfrom "per domain") by Peter J. Holzer
• Re: check_spamhelo per domain by m. allan noah
• Re: check_spamhelo per domain by Christian Herndler
• Re: check_spamhelo per domain by m. allan noah