A fairly large number of large companies have email systems that fail badheaders -- holding on it brought daily FP's here. We use a weight on BADHEADERS instead and then a negative weight (WHITELST filter below) on known mail servers with problems.
>From today's samples: Received: from l-qmqp3.marketwatchmail.com [63.240.173.125] by OURDOMAIN.COM (SMTPD32-7.15) id A181222017A; Mon, 21 Jul 2003 16:48:01 -0400 Received: (qmail 23921 invoked from network); 21 Jul 2003 20:37:35 -0000 Received: from unknown (10.10.220.86) by l-qmqp3.marketwatchmail.com with QMQP; 21 Jul 2003 20:37:35 -0000 Mailing-List: contact [EMAIL PROTECTED] Precedence: bulk X-No-Archive: yes List-Help: <mailto:[EMAIL PROTECTED]> List-Unsubscribe: <mailto:[EMAIL PROTECTED]> List-Subscribe: <mailto:[EMAIL PROTECTED]> From: CBS MarketWatch <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Delivered-To: mailing list [EMAIL PROTECTED] Delivered-To: moderator for [EMAIL PROTECTED] Received: (qmail 14389 invoked from network); 21 Jul 2003 20:28:35 -0000 Date: Mon, 21 Jul 2003 20:26:03 (GMT) X-MSMail-Priority: Normal X-mailer: AspMail 3.53 (SMTP546388) Subject: Personal Finance Daily: July 21, 2003 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Message-Id: <[EMAIL PROTECTED]> X-RBL-Warning: WHITELST: Message failed WHITELST test (109) X-RBL-Warning: SPAMDOMAINS: Spamdomain 'OURDOMAIN.COM' found: Address of [EMAIL PROTECTED] com sent from invalid 125.173.240.63.in-addr.arpa. X-RBL-Warning: SPAMTEXT: Message failed SPAMTEXT test (15) X-RBL-Warning: SPAMHEADERS: This E-mail has headers consistent with spam [c040020e]. X-RBL-Warning: BADHEADERS: This E-mail was sent from a broken mail client [c040020e]. X-RBL-Warning: BFROM: RETURN2 X-Declude-Sender: [EMAIL PROTECTED] com [63.240.173.125] X-Declude-Spoolname: D51810222017aaade.SMD X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for spam. X-Declude: Version 1.70i14; D51810222017aaade.SMD X-Declude: Failed WHITELST, SPAMDOMAINS, SPAMTEXT, IPNOTINMX, SPAMHEADERS, BADHEADERS, BFROM [-65] X-Note: This E-mail was sent from 125.173.240.63.in-addr.arpa ([63.240.173.125]). X-Countries: UNITED STATES->destination Return-Path: <[EMAIL PROTECTED] .com> X-Note: - Total spam weight of this E-mail is -65. X-Spam-Prob: 0.922557 X-RCPT-TO: <[EMAIL PROTECTED]> Status: U X-UIDL: 300602461 > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Jose Gosende > Sent: Monday, July 21, 2003 1:31 PM > To: [EMAIL PROTECTED] > Subject: RE: [Declude.JunkMail] Best Practices question > > > Great, thanks for the detailed explanation. > > I would like to HOLD all mail that fails the BADHEADERS test, then. > How do I go about doing this? > > Thanks again > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of R. Scott Perry > Sent: Monday, July 21, 2003 12:40 PM > To: [EMAIL PROTECTED] > Subject: RE: [Declude.JunkMail] Best Practices question > > > > >I've seen that most of the spam emails, regardless of the weight, seem > >to fail the SPAMHEADERS, BADHEADERS, and IPNOTINMX tests. > Question: do you > >guys HOLD email based on any of these three tests? If so, how is > this done? > >Is this a smart approach? > > The SPAMHEADERS test will catch quite a bit of legitimate E-mail (mostly > solicited E-mail, such as orders and bulk E-mail from companies you have > done business with, as opposed to individual person-to-person E-mail), > mostly because of all the web mailers that were written by web developers > rather than purchased or written by web programmers. > > The IPNOTINMX test shouldn't be used to block E-mail, as it is one of the > few tests that it is OK for a legitimate mailserver to fail. > This is often > the case with larger domains, where there are separate mailservers for > incoming vs. outgoing E-mail. > > The BADHEADERS test, though, now catches about 50% of all spam, and will > never catch any legitimate E-mail (unless it is sent from a broken mail > client that needs to be fixed, and where you might not have received the > E-mail anyways). > --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
