|
Todd, in addition
to checking for your own IP address in the inbound mail HELO, another handy
"anti-spoofing" test is to check for your own mailhost.
HEADERS 20
CONTAINS Received: from yourmailhost.yourdomain.com
because, hey,
your mailserver is receiving this message, so it won't be the one sending it,
right? This works great unless you have some weird looping, or you use the
same hostname on multiple inbound hops.
For
example, I have one inbound mailhost which is mail.bentall.com and I
never see any valid mail from somewhere else that identifies itself as my
sender. It's been a great rule with zero false positives in over a
year.
Andrew
8)
We are seeing more spam getting
through triggering very few test. We have a secondary spam system and it
has a test called RCVD_FAKE_IP that is rated at 80% of its hold
weight. Does Declude have something similar to this that I
am not familiar with it?
Here is the header from an email that triggered
the test. The EF filters are for the secondary spam system.
Received: from mail2.smart-mail.net
[65.16.167.134] by net.smart-mail.net
(SMTPD32-7.15) id AB4B3C000A0;
Thu, 01 Jul 2004 04:37:15 -0500
Received: from 65.16.167.134
([211.249.122.134])
by mail2.smart-mail.net (SAVSMTP 3.1.0.29) with
SMTP id M2004070104363531669
; Thu, 01 Jul 2004 04:36:42
-0500
X-Message-Info: VFOJY671eYayk6o4EOG324+hwoDFC357LFZwfs
Received:
from mail698.iemz.inbox.lv ([79.132.96.232]) by y799-hab790.inbox.lv with
Microsoft SMTPSVC(5.0.2195.6824);
Thu, 01 Jul 2004 10:39:58
-0100
Received: from DMYES3 (kge27.58.206.86.e874.v.inbox.lv
[236.3.143.229])
by mail92.xb.inbox.lv (3.4.44nqc14/9.238.82) with
SMTP id vxe531B4OJPasl17007;
Thu, 01 Jul 2004 04:33:58
-0700
Message-ID: <[EMAIL PROTECTED]>
From:
"Gus Hebert" <[EMAIL PROTECTED]>
To:
user
References: <[EMAIL PROTECTED]>
Subject:
*--Possible_SPAM--* hellenic
Date: Thu, 01 Jul 2004 13:34:58
+0200
MIME-Version: 1.0
Content-Type:
multipart/alternative;
boundary="--46420503988211891644"
X-Spam-Status:
Possible SPAM, hits=7.200000
required=5.000000
tests=RCVD_FAKE_IP_224:4.200000
tests=BAYES_90:3.000000
X-RBL-Warning: IPNOTINMX:
X-RBL-Warning: ROUTING: This E-mail was
routed in a poor manner consistent with spam [2000010f].
X-RBL-Warning:
SPAMCHK: Message failed SPAMCHK: 10.
X-RBL-Warning: EFFILTER: Message
failed EFFILTER test (line 1, weight 0)
X-RBL-Warning: EFFILTER5-9: Message
failed EFFILTER5-9 test (line 2, weight 15)
X-RBL-Warning: EFPOSSIBLESPAM:
Message failed EFPOSSIBLESPAM test (line 2, weight 0)
X-RBL-Warning:
GIBBERISH: Message failed GIBBERISH test (line 410, weight 60) (weight capped
at 60)
X-RBL-Warning: WEIGHT75: Weight of 95 reaches or exceeds the limit
of 75.
X-Declude-Sender: [EMAIL PROTECTED]
[211.249.122.134]
X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for
spam.
X-Spam-Tests-Failed: IPNOTINMX, ROUTING, SPAMCHK, EFFILTER,
EFFILTER5-9, EFPOSSIBLESPAM, GIBBERISH, WEIGHT75, CATCHALLMAILS
[95]
X-Note: Total spam weight of this E-mail is 95 .
X-Note: This
E-mail was sent from
([211.249.122.134]).
|
