@Axb, > just curious.. what are you trying to achieve by running these domains through ALL headers? > catch senders? received headers? there headers that comes with the following:
Received: from [66.85.187.123] *(helo=vpn123.layeredvpnzervices.com)* by izabal.espacioydominio.com with esmtp (Exim 4.69) (envelope-from <accountingeducation.yjuee*@nwwrej.afraidageshare.net*>) id 1RTzVK-0000Jp-IR for chard...@secmas.net; Fri, 25 Nov 2011 11:24:02 -0600 From: accounting education < accountingeducation.yj...@nwwrej.afraidageshare.net> Received: from [66.85.158.200] (*helo=search200.complementhold.com*) by izabal.espacioydominio.com with esmtp (Exim 4.69) (envelope-from <nursingschool.ncqq...@aifnqk.laughsidecant.net>) id 1RTzPA-0007TD-CR for chard...@secmas.net; Fri, 25 Nov 2011 11:17:40 -0600 From: nursing school <*nursingschool.ncqq...@aifnqk.laughsidecant.net*> Just to mention two examples, well, the point is that in a lot of spam emails the HELO is the same for a lot of different email addresses, so, I am trying to block that. Is there a better way than checking all the header? @ Christian Grunfeld > a blacklist lookup table can achieve the same, cant it? Can you share how to create this lookup table in a rule? Thanks a lot for your inputs. Sergio