If the top level domain of the HELO name exists (it has NS records or a SOA record) but the second and third (if present) level domains do not, the check triggers.
You have to allow for missing top level domains because of private addresses, and you have to check both the 2LD and 3LD because some CC2LDs are part of their CCTLD zone rather than being delegated. This form of made-up name is a common pattern amongst certain spamware. (It also triggers on loads of viruses.) There are a few false positives from idiots making up domain names for internal use, e.g. in the .int TLD, so I don't think it's usable as a sole reason for rejection. Tony. -- f.a.n.finch <[EMAIL PROTECTED]> http://dotat.at/ MALIN HEBRIDES: NORTHEAST 4 OR 5 INCREASING 6. RAIN LATER. GOOD BECOMING MODERATE.