I just had a client call the other week when I upgraded to a newer version of Declude which I think started catching the misspelling in MAILFROM where as it didn't before (if I recall the problem correctly, I might have just upped the score for that test). One person at this business had been sending E-mails to another person at the same business with his From address misspelled, and the receiver knew this and would just simply change it in her replies, but all of a sudden my server stopped allowing these through. Since the E-mail was sent within the domain, it failed the IPNOTINMX test as well, which didn't add points, but didn't credit them with 2 points that would have otherwise been given. They might have also suddenly gotten picked up by a DUL list because they're on DSL, and that scores on intra-server E-mails since the sender is the IP of the client's gateway and not my mail server's IP.
I weight MAILFROM at 7 now (same for VERISCAM), however I IP bypass my Microsoft SMTP server which gets the misspelled form inputs that generally fail the NOLEGITCONTENT test (which would put it at 5 with my fail weight of 10). Some customers are behind IP's that would fail certain DUL lists as well, so that has to also be taken into consideration. IPNOTINMX and NOLEGITCONTENT, get 2 points each credited back to them and therefore it should pass no problems if the sender's mail server is reasonably good. This is a perfect example though of how WHITELIST AUTH would be beneficial since internal domain E-mail can fail so many tests, and that would allow you to increase the score of MAILFROM to around 10 in the same setup (I score 4 for DUL's)
I did have one FP out of 18 catches on the VERISCAM filter in the last day (out of more than 3,000 E-mails that otherwise failed). This E-mail was sent from [EMAIL PROTECTED], and it was a from ma product called Altiris Patch Management server ( http://www.altiris.com/products/patchmanagement/ ). The E-mail ended up as a false reject, failing the following tests:
EASYNET-DYNA (4), VERISCAM (7), IPNOTINMX (0), NOLEGITCONTENT(0), FROMFILTER(1), and DYNAMIC(3)
It was sent from an internal server, not a mail server though. The FROMFILTER caught the keyword SEX for one point, and DYNAMIC is a new filter that I am testing that detects reverse DNS entries with IP addresses in the name. The E-mail scored a 15. That's problematic, and bounces wouldn't work even if the product received bounces because the From was faked. Needless to say, I'm calling this customer about the problem. I've seen many issues with devices or software that manage their own SMTP.
Hope this helps.
Matt
Joshua Levitsky wrote:
On Sep 17, 2003, at 2:59 PM, Matthew Bramble wrote:
False positives will come from users that misspell their domain name in their mail client. I have had that happen. There are also lots of forms being used on Web sites that take the user's input and construct a message using their address as the From in order to facilitate replies, and I can tell you from experience that lots of these people screw up (especially AOL users). I'm not sure if blocking on this one test is advisable in that instance, probably more so depends on your user base and whether you think it's appropriate to block mail from people that make mistakes in spelling, but otherwise don't have problems. I think HELOBOGUS also picks up on the misspellings (too busy to verify at the moment).
Because of this, I'm playing it conservatively for the time being. Same goes for MAILFROM.
What if I use the BOUNCE action on that one test and give the test a small weight so it contributes a little towards spam filtering, but it always BOUNCEs so you get an error?
Trying to think of the best for users and for catching.
-Josh
--- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
