I have been running my ContainsIP external test with a reverse dns check and have found the following. I have not had one report of a false positive in the 5 days I have been running this test.
If you are interested it can be found here with usage instructions http://www.ssc-isp.net/HoldAnalyzer/containsip.aspx We receive about 3500 emails a day to our server. As you can see a large amout of the messages fail the reverse DNS test when they have an ip address in the HELO string. I am finding this to be a very good indicator of spam. 9/30/04 Count %of failed %of all CIP-FullMatch : 6 0.27 % 0.16 % CIP-OnlyIp : 349 15.73 % 9.40 % CIP-RMatchFullMatch : 251 11.31 % 6.76 % CIP-RMatchLeadingTextMatch: 39 1.76 % 1.05 % 9/29/04 CIP-FullMatch : 9 0.43 % 0.27 % CIP-LeadingTextMatch : 2 0.10 % 0.06 % CIP-OnlyIp : 343 16.32 % 10.11 % CIP-RMatchFullMatch : 238 11.32 % 7.02 % CIP-RMatchLeadingTextMatch: 43 2.05 % 1.27 % 9/28/04 CIP-FullMatch : 5 0.22 % 0.14 % CIP-OnlyIp : 383 17.15 % 10.67 % CIP-RMatchFullMatch : 226 10.12 % 6.30 % CIP-RMatchLeadingTextMatch : 40 1.79 % 1.11 % CIP-RMatchTrailingTextMatch: 1 0.04 % 0.03 % --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.