Dave, allow me to butt in here with the late night reply and say yes, your interpretation is exactly right for all 3 of your examples.
And let me also add that clarity certainly does help, for example I saw a weird false positive and chuckled over it. I had a sd.txt that listed: mac.com apple.com The false positive occurred when a message from [EMAIL PROTECTED] didn't have a suitable revdns, and certainly didn't match apple.com either! So now I have: .mac.com apple.com @mac.com apple.com Andrew 8) -----Original Message----- From: Dave Doherty [mailto:[EMAIL PROTECTED] Sent: Friday, April 16, 2004 12:15 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] why does this fail the spam domains test? Hi Matt- Thanks for the explanation. Let me feed back to you what I think you said. yahoo.com would require that all possible REVDNS entries contain "yahoo.com" so a message would pass the test if the REVDNS of its originating IP was abc.yahoo.com, abcyahoo.com or abc.yahoo.com.hk, but not yahoo.ca @yahoo.com yahoo.com would require that all possible REVDNS entries end in "yahoo.com" so a message would pass the test if the REVDNS of its originating IP was abc.yahoo.com or abcyahoo.com, but not abc.yahoo.com.hk, or yahoo.ca .yahoo.com yahoo.com would require that all possible REVDNS entries end in ".yahoo.com" so a message would pass the test if the REVDNS of its originating IP was abc.yahoo.com but not abc.yahoo.com.hk or yahoo.ca Is this rght? -d ----- Original Message ----- From: Matt To: [EMAIL PROTECTED] Sent: Friday, April 16, 2004 1:46 AM Subject: Re: [Declude.JunkMail] why does this fail the spam domains test? Dave, It works like two different CONTAINS filters. It takes the value in the first column, and if the MAILFROM contains the string, then it checks both columns against the REVDNS entry to see if either one matches. Since the first column has an @ symbol in it, that will never match, and the only possible match would be in the second column as a REVDNS CONTAINS type of match. If you only have one entry per line, then both the MAILFROM and REVDNS will need to contain that string. Using an @ symbol in the first column isn't a requirement, and it's only appropriate for domains with one possible REVDNS value since the first column can't match leaving only one string to match on. The reason for putting it in there is because of some uses of VERP which can include addresses within the MAILFROM before the @ symbol, especially with domains like att.net which allow for forwarding. It also prevents matches on partial domains from occurring, though that would generally be rare. I opt to use the @ symbol in the first column with I only know of one legit REVDNS domain, and I leave it off when there are two, and I omit the domain from the list when there are three or more possible REVDNS matches. Hope this helps. Matt Dave Doherty wrote: Scott- I think that I may misunderstand SPAMDOMAINS. >From the manual: This test will catch E-mail that is not coming from a mailserver that it should be coming from. This test will only work if you set up a file listing domains that you wish to be included in this test. Specifically, it will check the return address of the E-mail, and then check to see if the reverse DNS entry of the IP that the E-mail was sent from contains the domain name. If not, the E-mail fails the test. For example, if "hotmail.com" is listed in the \IMail\Declude\spamdomains.txt file, then an E-mail coming from "law2.hotmail.com" would not fail the test, but an E-mail from "mail.example.ru" would fail the test. Taking the lead from that description, my SPAMDOMAINS file consists of a simple list of domains, one to a line, like this: ebay.com aol.com Yet every example I have seen on this subject the past few days shows two domains per line like this: @juno.com .untd.com How is this supposed to work? -Dave ----- Original Message ----- From: "R. Scott Perry" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, April 15, 2004 4:42 PM Subject: Re: [Declude.JunkMail] why does this fail the spam domains test? Can anyone explain why this message would fail the spamdomains test? Here is the spamdomains entry: @juno.com .untd.com The key here is the reverse DNS entry -- do you have the full headers for the E-mail? Although the IMail log file shows the IP address, it is possible that Declude JunkMail may have used a different IP, which would be reflected in the headers. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. -- ===================================================== MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ ===================================================== --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
