Re: [Declude.JunkMail] Fake IP Test

[Matt]

Rick, It's very, very spammy and I don't believe that I have ever seen a false positive on this in over 6 months of use.   At the same time however, I'm not aware of any spamware right now that forges your IP as the HELO and encloses it in brackets as one of Kevin's filter lines shows.  I actually consider a bracketed IP as the HELO to be a sign of standards compliance and I try not to fail such things just simply based on that so if you score this pattern, don't score it high.  Consider also with the other patterns the guaranteed tests that will fail with a non-bracketed IP as the HELO, for instance HELOBOGUS and BADHEADERS will always hit this condition so consider extra points from a filter to tag your IP as the HELO to be cumulative in points.  I use a STARTSWITH filter so that I don't find myself switching IP's and forgetting to change the filter, for instance: HELO      15      STARTSWITH      208.7.179. Matt Rick Davidson wrote: I hold mail if the HELO matches my servers IP address, is there a situation I am overlooking where this would be a bad idea? Rick Davidson National Systems Manager North American Title Group - ----- Original Message ----- From: "Kevin Bilbee" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, July 01, 2004 2:42 PM Subject: RE: [Declude.JunkMail] Fake IP Test HELO 4 STARTSWITH [ You do not want to apply weight if the HELO string is an IP address the helo string being in the format of [xxx.xxx.xxx.xxx] is a vaild helo as long as it is the ip address of the sending server. HELO 8 STARTSWITH 65.16.167. I would definitly suggest doing this one for all of your IP addresses except I would place each one individually and use CONTAINS or IS if you are not allocated the whole /24 block. Kevin Bilbee --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. -- ===================================================== MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =====================================================