The RDNS test is run against the IP address of the original sending mail server, not the IP of the client machine that drafted the message. I don't believe that intermediate hops are considered in this test, just the RDNS of the originating mail server. Scott, can confirm this.
The theory is that most of the large mail host providers, and frequently forged domain hosts (like aol.com, yahoo.com, hotmail.com, etc.), have their DNS configured correctly so that if queried for the PTR record of the originating mail server's IP address (RDNS), it will respond with the domain listed in the "from" address somewhere in the response, or that of another domain defined in the SpamDomains file (a good match). If it does not contain the "from" domain, or an alternate predefined domain, somewhere in the response, then it probably was not sent from a designated mail server for that domain and is most likely spam. HTH to clarify. Bill ----- Original Message ----- From: "Serge" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Sunday, June 15, 2003 8:41 AM Subject: [Declude.JunkMail] Spamdomains: Which IP ? > After reading 100+ archive message about spamdomain, I was thinking that the > ip used for the RDNS query is the one of the original remote smtp server > but after playing arround with a dummy domain i set up, i have now some > doubts that the test is using the IP of the ip of the original client that > sent the message, and not the remote smtp server > so which is it, and why ? > and if it is the smtp server and there are several intermediary gateways, > will the ip be that of the original server, or the final one ? > > TIA > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
