> > This is exactly why the test is so useful. psu.edu, for example, is a
> > perfectly valid domain, and it has an MX record.
>
>Except, at least 3 of those 5 messages are not spam.
Interesting.
>I see this in my IMail log file -
>
>06:07 16:24 SMTPD(BC3000AE) [12.20.248.130] HELO bur05.standardsteel.com
>
>for the HELOBOGUS log entry in my Declude log mentioned above.
>
>However when I look up that IP address I get
>
>Name: mail.standardsteel.com
>Address: 12.20.248.130
>
>so were does the bur05.standardsteel.com come from?
That comes from their mailserver. Their mailserver is saying "HELO
bur05.standardsteel.com" -- In SMTP, it's saying "Hi, I'm host
bur05.standardsteel.com -- if there are any problems, that's how you can
reach me". But, bur05.standardsteel.com doesn't exist. It's the
electronic equivalent of getting a letter postmarked from "Nowheresville"
or some other town that doesn't exist. It's a serious indication that
something ain't right.
When this happens, it's a configuration error on the other end of the
connection -- exactly where a spammer is very likely to make a
configuration error (you'll often see them send "HELO $domain" or "HELO
localhost.localdomain" and similar bogus hostnames).
Soon, we'll get a good idea of how often this will produce false positives
(we've heard that it has a very, very low false positive rate, but we'll
have to see).
-Scott
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". You can E-mail
[EMAIL PROTECTED] for assistance. You can visit our web
site at http://www.declude.com .
