Andy, That is not what typically what I see on most legit incoming e-mails.
For example here is a legit customer e-mail I picked it random (with a few things obfuscated)... X-Declude-Sender: [EMAIL PROTECTED] [152.63.54.131] X-Note: This E-mail was scanned & filtered by Declude [1.82] for SPAM & viruses. X-Country-Chain: UNITED STATES->destination X-Note: Recipient(s): [EMAIL PROTECTED] X-Note: Sent with HELO [mail13.somedepartment.state.oh.us] from Reverse DNS [mail13.somedepartment.state.oh.us] X-Spam-Tests-Failed: NOABUSE [-76] In this example the HELO contains "somedepartment.state.oh.us". That is true, but what I am seeing is where the HELO IS "somedepartment.state.oh.us" which in this case is NOT true. The HELO is "mail13.somedepartment.oh.us". And in fact 99% of legit e-mails that I see the whole string used in the HELO is NOT identical to the string after the '@' symbol. Especially when you are talking about the big free web mail providers. The only 2 that I know of that use a simple HELO, e.g. domain.com, are HOTMAIL.COM and EXCITE.COM. Everybody else uses a long host name, e.g. subnet.domain.com, and I can easily put exceptions in for HOTMAIL.COM and EXCITE.COM. What I've been seeing, using the same headers as above, is... X-Declude-Sender: [EMAIL PROTECTED] [152.63.54.131] X-Note: This E-mail was scanned & filtered by Declude [1.82] for SPAM & viruses. X-Country-Chain: UNITED STATES->destination X-Note: Recipient(s): [EMAIL PROTECTED] X-Note: Sent with HELO [somedepartment.state.oh.us] from Reverse DNS [mail13.somedepartment.state.oh.us] X-Spam-Tests-Failed: NOABUSE [-76] If the text after the @ symbol was broken out into it's own variable, e.g. FROMHOST = "somedepartment.state.oh.us", and the helo was broken out into it's own variable, e.g. HELO = "somedepartment.oh.us", then if I could do the following... FROMHOST 50 IS %HELO% then I could add to the weight of a bunch of e-mails that are currently making it through. Regardless I wasn't looking for feedback on the likelihood of this idea working well. All I wanted to know if it was technically feasible. In a weight based system even if I can add a few points, if only enough to raise the weight a little yet not enough to push legit e-mail over my HOLD weight, then that's what I'm looking to do. Thanks, Dan ----- Original Message ----- From: "Andy Schmidt" <[EMAIL PROTECTED]> To: <Declude.JunkMail@declude.com> Sent: Monday, January 31, 2005 10:29 AM Subject: RE: [Declude.JunkMail] Add Points if Domain Name IS Hello Dan, May be I misunderstand - but is this exactly what you SHOULD see, e.g., unless it's a virtual hosting environment or shared SMTP server you SHOULD see that the sender domain and HELO domain is identical? This would be equivalent to testing if headers are RFC compliant - and if so, to throw out most of the good mail with the bad because it too happens to comply with RFCs? Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax: +1 201 934-9206 -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Geiser Sent: Monday, January 31, 2005 10:13 AM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] Add Points if Domain Name IS Hello Hello, All, I've been getting tons of spam where the domain name used in the sender, e.g. [EMAIL PROTECTED], exactly matches the helo, e.g. justasailor.com. Is there any way to set up a test to add points if these 2 are identical? I was thinking there might be a way to do it using the variables that Declude creates but I don't know exactly what the syntax would be and I don't know if Declude parses out the domain name into it's own variable. But if there were such a variable I'm thinking something along the lines of... FROMDOMAIN 50 IS %HELO% Thanks In Advance, Dan Geiser ------------------------------------------------------------------- E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan) --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. ------------------------------------------------------------------- E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan) ------------------------------------------------------------------- E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan) --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.