Hi Paul: well, it's coming from "deliverenetworks.com" (http://www.dnsstuff.com/tools/ptr.ch?ip=66.239.1.69). The RevDNS is less likely to change then the MAIL FROM domain name.
So, I usually don't bother with blocking the MAIL FROM domain name - instead I check the reverse DNS, e.g.: HELO 8 CONTAINS $domain REMOTEIP 8 IS 218.17.92.184 REVDNS 8 ENDSWITH .are.net REVDNS 8 ENDSWITH .azogle.com REVDNS 8 ENDSWITH .consumerinfo.com REVDNS 8 ENDSWITH .DailyInBox.com REVDNS 8 ENDSWITH .deliverenetworks.com REVDNS 8 ENDSWITH .dartmail.net REVDNS 8 ENDSWITH .emailoffers.biz REVDNS 8 ENDSWITH .emailsvc.net REVDNS 8 ENDSWITH .emipsusa.com REVDNS 8 ENDSWITH .evaluemail.com REVDNS 8 ENDSWITH .hispeedmediaoffers.com REVDNS 8 ENDSWITH .hot-info.net REVDNS 8 ENDSWITH .IConNet.net REVDNS 8 ENDSWITH .mail-gw.net REVDNS 8 ENDSWITH .ramosglobalmarketing.com REVDNS 8 ENDSWITH .real-net.net REVDNS 8 ENDSWITH .superstorespecials.com REVDNS 8 ENDSWITH .temd.net REVDNS 8 ENDSWITH .truemail.net REVDNS 8 ENDSWITH .tepmail.com REVDNS 8 ENDSWITH .webmailer.de SUBJECT 5 CONTAINS viagra BODY 3 CONTAINS As seen on BODY 3 CONTAINS Nigeria BODY 5 CONTAINS opt-in Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax: +1 201 934-9206 -----Original Message----- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail-owner@;declude.com]On Behalf Of paul Sent: Thursday, October 24, 2002 10:05 AM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] amazing.... While going through my filtered e-mail, I always see multiple e-mails from the same person<s> with the same ad but am amazed by how 1 has a weight of 29 - ROUTE, and 1 has a weight of 21 - COPY -. I can see that both have different IP and received from addresses, which makes the bottom one not fail the HELOBOGUS test, causing the 21. What do you guys see as the best approach to this? Blacklist @specials.bargain-jungle.com which I did? or specials@longname or both? or something totally different? Paul Received: from astro.deliverenetworks.com [66.239.1.71] by mail.2khiway.net (SMTPD32-7.13) id A3A1270154; Wed, 23 Oct 2002 21:57:53 -0400 X-CID: 171 X-UserID: 7283114 X-EMail: [EMAIL PROTECTED] X-From: [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Returnpath: [EMAIL PROTECTED] Content-Type: text/html To: [EMAIL PROTECTED] From: "Apply Now!" <[EMAIL PROTECTED]> Subject: Get Major Bank Credit Cards Message-Id: <[EMAIL PROTECTED]> X-RBL-Warning: SPAMCOP: Blocked - see http://spamcop.net/bl.shtml?66.239.1.71 X-RBL-Warning: DSN: Not supporting null originator (DSN) X-RBL-Warning: BADHEADERS: This E-mail was sent from a broken mail client [c020020c]. X-RBL-Warning: HELOBOGUS: Domain astro.deliverenetworks.com has no MX/A records. X-RBL-Warning: SPAMHEADERS: This E-mail has headers consistent with spam [c020020c]. X-RBL-Warning: WEIGHT10: Weight of 29 reaches or exceeds the limit of 10. Received: from kia.iexpectnet.com [66.239.1.69] by mail.2khiway.net (SMTPD32-7.13) id A406350272; Wed, 23 Oct 2002 18:34:46 -0400 X-CID: 171 X-UserID: 507916 X-EMail: [EMAIL PROTECTED] X-From: [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Returnpath: [EMAIL PROTECTED] Content-Type: text/html To: [EMAIL PROTECTED] From: "Apply Now!" <[EMAIL PROTECTED]> Subject: Get Major Bank Credit Cards Message-Id: <[EMAIL PROTECTED]> X-RBL-Warning: SPAMCOP: Blocked - see http://spamcop.net/bl.shtml?66.239.1.69 X-RBL-Warning: DSN: Not supporting null originator (DSN) X-RBL-Warning: BADHEADERS: This E-mail was sent from a broken mail client [c020020c]. X-RBL-Warning: SPAMHEADERS: This E-mail has headers consistent with spam [c020020c]. X-RBL-Warning: WEIGHT10: Weight of 21 reaches or exceeds the limit of 10. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
