Re: [Declude.JunkMail] REVDNS and HELOBOGUS

[Matthew Bramble]

I reduced the scores of those test's.  Messages that fail BAHDEADERS 
seem to often fail HELOBOGUS in my experience.  It would be good to know 
the error code returned by the BADHEADERS test because this shouldn't be 
failed by most mailing applications (even automated ones).  If you look 
in your log for the messages in question, you will find a code for the 
BAHEADERS failure which can be looked up through the following page:

   http://www.declude.com/tools/header.php

One bug was caught last week that dealt with too many characters on the 
To: line, which Scott promptly fixed in an interim release.  Another 
issue that I was experiencing with BADHEADERS was related to not having 
a To: address in an E-mail, which IE and Exchange's Web Mail among 
others were allowing now despite the RFC's clearly saying it was 
necessary even if not a valid address (Netscape 7 is compliant).  This 
was an issue with mailing lists and other broadcast messages that make 
use of the CC or BCC lines and no use of the To line.  I believe Scott 
might be thinking about modifying this test as well, but I'll let him 
speak for himself.

I found these issues on my system with I recently did a capture on the 
BADHEADERS test.  It is a wonderful test though, tagging about half of 
all spam received, and the false positive rate was ain incredibly low 
0.5% (10 false positives out of 1,834 test failures in all).  9 of the 
10 false positives though were from errors possible from popular 
(enough)  mail clients.  Knowing your error codes would help in 
determining if you were suffering from similar issues, and possibly 
there is a fix out now.  My only issue with BADHEADERS is that messages 
that fail it, will almost definitely fail at least one other technical 
test, especially SPAMHEADERS and HELOBOGUS.

If your BADHEADERS failures are the responsibility of bad software on 
the sender's end, I would reduce the test scores so that both BADHEADERS 
(I score 3) and HELOBOGUS (I score 5)  needs to fail another small test 
in order to get blocked.  The small tests that I see working in this 
case are NOPOSTMASTER, NOABUSE and DSN, each of which I score as 1, and 
BASE64 which I score as 3.

Regarding your REVDNS test, this is one of the tests that I turned off 
because it has a very high false positive rate and I perceived it as 
giving no real value as a result, even my server sat without reverse DNS 
entries until recently because my co-location provider was slow in 
delegating responsibility for that class C over to my DNS server, and 
those with smaller blocks tend to not bother at all.  There are many 
valid mail servers without these lookups.

This is of course just my methodology, your mileage may vary.

Matt



Agid, Corby wrote:

Hello,

 We get a lot of false postives from sites that fail two of  three simple
tests such as  REVDNS, HELOBOGUS and BADHEADERS which combined have just
enough weight (10 to12 ), to get tagged as spam.  I have been whitelisting
as I learn about them, which seems to be approx one to three entries per
day.
Do most people reduce the weight of these tests or increase the threshold of
what's considered spam, or just whitelist as needed?
Just curious.

Corby

 

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.