Besides you can do whatever you want with the test here are the definitions
These are my global config test names and return values CIP-WellFormed 10 CIP-OnlyIp 11 CIP-FullMatch 12 CIP-LeadingTextMatch 13 CIP-TrailingTextMatch 14 CIP-RDNSMatchWellFormed 20 CIP-RDNSMatchOnlyIp 21 CIP-RDNSMatchFullMatch 22 CIP-RDNSMatchLeadingTextMatch 23 CIP-RDNSMatchTrailingTextMatch 24 So if you do not want to weight OnlyIp then don't put a lower weight on it if you get many false positives Kevin Bilbee > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox > Sent: Monday, September 20, 2004 8:47 PM > To: [EMAIL PROTECTED] > Subject: Re: [Declude.JunkMail] Idea > > > Gotcha... just after I mentioned it I saw a couple of > industry newsletters that had an IP address for HELO. > They're obviously poor mailers, but our customers want to see > them, so we must oblige. Ahhhh, to be able to be stricter... > wouldn't that be the life...<grin>. > > Darin. > > > ----- Original Message ----- > From: "Kevin Bilbee" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Monday, September 20, 2004 6:36 PM > Subject: RE: [Declude.JunkMail] Idea > > > Agreed I would never delete on the one test, (except my > personal black list), I would weight the email. A reverse DNS > endty should never return an ip address. If the HELO is an ip > it should should be in the form of [a.b.c.d] from my > understanding. But if I reverse a.b.c.d I should not get > a.b.c.d I should get host.example.com. If they do not want ot > follow standards that is fine but I am going to add weight to > their email. that is why I run Declude to weight emails that > do not wollow standards. > > I host coorporate email for my promary company and a few > sister companies so I have the ability to be a little > stricter and if I do get a false positive I work with the > customer/ISP of our customer to fix what is broken/non-standard. > > > Kevin Bilbee > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] Behalf Of Darin Cox > > Sent: Monday, September 20, 2004 3:20 PM > > To: [EMAIL PROTECTED] > > Subject: Re: [Declude.JunkMail] Idea > > > > > > We've seen some legitimate mailers with an IP for the HELO, which > > matches the reverse DNS. I certainly wouldn't recommend > holding, much > > less deleting, on any one test. > > > > Darin. > > > > > > ----- Original Message ----- > > From: "Kevin Bilbee" <[EMAIL PROTECTED]> > > To: <[EMAIL PROTECTED]> > > Sent: Monday, September 20, 2004 5:41 PM > > Subject: RE: [Declude.JunkMail] Idea > > > > > > 99.9% is good enough and better than most RBLs especially in a > > weighted system. I have modified my code and am going to test for a > > few days using the ROUTETO action to inspect te emails for false > > positives. > > > > If I find the test acceptable I will post a new version of > contains IP > > with documentation. > > > > > > Thanks to thoes who have given feedback, > > Kevin Bilbee > > > > > -----Original Message----- > > > From: [EMAIL PROTECTED] > > > [mailto:[EMAIL PROTECTED] Behalf Of Matt > > > Sent: Monday, September 20, 2004 2:20 PM > > > To: [EMAIL PROTECTED] > > > Subject: Re: [Declude.JunkMail] Idea > > > > > > > > > I would say that 99.9% is probably accurate here, and > while that's > > > pretty good, it might cause more issues than benefit depending on > > > your system if you added extra weight for this condition. > There is > > > unfortunately software out there, or at least configurations that > > > will insert IP's into the reverse DNS entry and also use > that as the > > > HELO. For instance, if you name your Windows server with an IP'd > > > entry, that will get used by default in the HELO for MS > SMTP if I'm > > > not mistaken. It would only be 99.9% accurate due to the sheer > > > volume of zombie spam however that uses this method, but > I believe > > > that there are a measurable number of exceptions that may > or may not > > > work in a particular weighting scheme. > > > > > > Matt > > > > > > > > > > > > Colbeck, Andrew wrote: > > > > > > >Kevin, I suspect that you're right, and that 99.9% of the > > time, your rule > > > >would hold true. > > > > > > > >I would suggest that the IP address in the HELO would > have to match > > > >the reverse DNS exactly, though. > > > > > > > >I also think that it this observation would also hold true if > > > the HELO is an > > > >IP address and there is no reverse lookup, or the reverse lookup > > > times out. > > > > > > > >I think running that as a test for a while would bear that out; > > > let us know > > > >if you code that up and want to test it on some more systems... > > > > > > > >Andrew 8) > > > > > > > >-----Original Message----- > > > >From: Kevin Bilbee [mailto:[EMAIL PROTECTED] > > > >Sent: Saturday, September 18, 2004 12:09 PM > > > >To: [EMAIL PROTECTED] > > > >Subject: [Declude.JunkMail] Idea > > > > > > > > > > > >I was looking through my smaps and legitimate email. I > have noticed > > > >an interesting thing. When there is an ip address in the hello > > and the hello > > > >matches the reverse dns then it is always spam. I can not find > > > one example > > > >of a legitimate email that has these properties. > > > > > > > > > > > >What do you think??? > > > > > > > >I can update my contains ip test to support this type of test > > > >also???? > > > > > > > > > > > > > > > >Kevin Bilbee > > > > > > > > > > > >--- > > > >[This E-mail was scanned for viruses by Declude Virus > > > >(http://www.declude.com)] > > > > > > > >--- > > > >This E-mail came from the Declude.JunkMail mailing list. To > > unsubscribe, > > > >just send an E-mail to [EMAIL PROTECTED], and type > "unsubscribe > > > >Declude.JunkMail". The archives can be found at > > > >http://www.mail-archive.com. > > > >--- > > > >[This E-mail was scanned for viruses by Declude Virus > > (http://www.declude.com)] > > > > > >--- > > >This E-mail came from the Declude.JunkMail mailing list. To > > >unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type > > >"unsubscribe Declude.JunkMail". The archives can be found at > > >http://www.mail-archive.com. > > > > > > > > > > > > > > > > -- > > ===================================================== > > MailPure custom filters for Declude JunkMail Pro. > > http://www.mailpure.com/software/ > > ===================================================== > > > > --- > > [This E-mail was scanned for viruses by Declude Virus > > (http://www.declude.com)] > > > > --- > > This E-mail came from the Declude.JunkMail mailing list. To > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type > > "unsubscribe Declude.JunkMail". The archives can be found at > > http://www.mail-archive.com. > > > > > > > > --- > > [This E-mail was scanned for viruses by Declude Virus > > (http://www.declude.com)] > > > > --- > > This E-mail came from the Declude.JunkMail mailing list. To > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type > > "unsubscribe Declude.JunkMail". The archives can be found at > > http://www.mail-archive.com. > > > > --- > > [This E-mail was scanned for viruses by Declude Virus > (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be > found at http://www.mail-archive.com. > > > > --- > [This E-mail was scanned for viruses by Declude Virus > (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be > found at http://www.mail-archive.com. > > --- > [This E-mail was scanned for viruses by Declude Virus > (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be > found at http://www.mail-archive.com. > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.