Re: [Declude.JunkMail] Fake IP Test

[Matt]

I'm with you 100%.  Sorry for the confusion, that was actually Andy's filter line and I didn't mean to say it was wrong, just not how I approach it.  There is software out there for sending bulk-mail, primarily from PC's I believe and some server scripts that will bracket the IP as the HELO.  I definitely see some false positives on this sort of thing and adding more points is not really necessary.  Some of the stuff using that software of course is real spam, but typically very niche stuff. Matt Kevin Bilbee wrote: What I was saying is not to score well formed ip addresses [xxx.xxx.xxx.xxx], I do not score these at all. I do run an external test that tells me if there is an ip in the helo string if the ip is well formed I skip weighting the test. I also have a filter in declude that looks for our domain names and ip addresses in the HELO string. If they are there and it is not from a white listed server then it will get half of our hold weight.     Kevin Bilbee         -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Matt Sent: Thursday, July 01, 2004 1:25 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Fake IP Test Rick, It's very, very spammy and I don't believe that I have ever seen a false positive on this in over 6 months of use.   At the same time however, I'm not aware of any spamware right now that forges your IP as the HELO and encloses it in brackets as one of Kevin's filter lines shows.  I actually consider a bracketed IP as the HELO to be a sign of standards compliance and I try not to fail such things just simply based on that so if you score this pattern, don't score it high.  Consider also with the other patterns the guaranteed tests that will fail with a non-bracketed IP as the HELO, for instance HELOBOGUS and BADHEADERS will always hit this condition so consider extra points from a filter to tag your IP as the HELO to be cumulative in points.  I use a STARTSWITH filter so that I don't find myself switching IP's and forgetting to change the filter, for instance: HELO      15      STARTSWITH      208.7.179. Matt Rick Davidson wrote: I hold mail if the HELO matches my servers IP address, is there a situation I am overlooking where this would be a bad idea? Rick Davidson National Systems Manager North American Title Group - ----- Original Message ----- From: "Kevin Bilbee" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, July 01, 2004 2:42 PM Subject: RE: [Declude.JunkMail] Fake IP Test HELO 4 STARTSWITH [ You do not want to apply weight if the HELO string is an IP address the helo string being in the format of [xxx.xxx.xxx.xxx] is a vaild helo as long as it is the ip address of the sending server. HELO 8 STARTSWITH 65.16.167. I would definitly suggest doing this one for all of your IP addresses except I would place each one individually and use CONTAINS or IS if you are not allocated the whole /24 block. Kevin Bilbee --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. -- ===================================================== MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ ===================================================== -- ===================================================== MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =====================================================