Scott, looks like people are starting to try and hide their internal IP address through some rather bazaar means. We have been getting quite a few of these (e-mail addresses changed to protect the innocent):
===== 09/22/2003 11:00:41 Q38c433940072f11a Bogus IP: UNIX: localhost 09/22/2003 11:00:48 Q38c433940072f11a LBL:3 NOMOREFUNN:2 VISI-RELAY:3 nIPNOTINMX:-3 nNOLEGITCONTENT:-5 HELO-FILTER:-10 REVDNS -FILTER:-5 ALLIGATE-SPAM-L1:1 . Total weight = -14 09/22/2003 11:00:48 Q38c433940072f11a Msg failed LBL (0.0.0.0.lbl.lagengymnastik.dk.). Action=IGNORE. 09/22/2003 11:00:48 Q38c433940072f11a Msg failed NOMOREFUNN (0.0.0.0.no-more-funn.moensted.dk.). Action=WARN. 09/22/2003 11:00:48 Q38c433940072f11a Msg failed VISI-RELAY (Mail from 0.0.0.0 refused -- see http://relays.visi.com/lookup.c gi?ipaddr=0.0.0.0). Action=WARN. 09/22/2003 11:00:48 Q38c433940072f11a Msg failed HELO-FILTER (Message failed HELO-FILTER test (122)). Action=WARN. 09/22/2003 11:00:48 Q38c433940072f11a Msg failed REVDNS-FILTER (Message failed REVDNS-FILTER test (78)). Action=WARN. 09/22/2003 11:00:48 Q38c433940072f11a Msg failed ALLIGATE-SPAM-L1 (Message failed ALLIGATE-SPAM-L1: 12.). Action=WARN. 09/22/2003 11:00:48 Q38c433940072f11a L1 Message OK 09/22/2003 11:00:48 Q38c433940072f11a Subject: ipn Website Focus Group Opportunity 09/22/2003 11:00:48 Q38c433940072f11a From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] IP: 198.88.144.42 ID: 423 6CADF58 ===== And a few of these, as well: ===== 09/22/2003 17:43:40 Q9709116000502df7 Bogus IP: ?.?.?.? 09/22/2003 17:43:47 Q9709116000502df7 BLARSBL:2 COMPU:2 LBL:3 NOMOREFUNN:2 VISI-RELAY:3 nNOLEGITCONTENT:-5 GIBBERISH-FILTER:5 HEADERS-FILTER:5 MAILFROM-FILTER:10 NOGIBBERISH-FILTER:-5 REVDNS-FILTER:-10 ALLIGATE-SPAM-L1:1 ALLIGATE-SPAM-L2:2 SNIFFER-GENERAL:12 SPAMCHECK:-3 . Total weight = 24 09/22/2003 17:43:47 Q9709116000502df7 Msg failed BLARSBL (This E-mail came from 209.202.220.160, a potential spam source listed in BLARSBL.). Action=WARN. 09/22/2003 17:43:47 Q9709116000502df7 Msg failed COMPU (Sender IP: 209.202.220.138). Action=WARN. 09/22/2003 17:43:47 Q9709116000502df7 Msg failed LBL (0.0.0.0.lbl.lagengymnastik.dk.). Action=WARN. 09/22/2003 17:43:47 Q9709116000502df7 Msg failed NOMOREFUNN (0.0.0.0.no-more-funn.moensted.dk.). Action=WARN. 09/22/2003 17:43:47 Q9709116000502df7 Msg failed VISI-RELAY (Mail from 0.0.0.0 refused -- see http://relays.visi.com/lookup.cgi?ipaddr=0.0.0.0). Action=WARN. 09/22/2003 17:43:47 Q9709116000502df7 Msg failed IPNOTINMX (). Action=WARN. 09/22/2003 17:43:47 Q9709116000502df7 Msg failed GIBBERISH-FILTER (Message failed GIBBERISH-FILTER test (132)). Action=WARN. 09/22/2003 17:43:47 Q9709116000502df7 Msg failed HEADERS-FILTER (Message failed HEADERS-FILTER test (58)). Action=WARN. 09/22/2003 17:43:47 Q9709116000502df7 Msg failed MAILFROM-FILTER (Message failed MAILFROM-FILTER test (1096)). Action=WARN. 09/22/2003 17:43:47 Q9709116000502df7 Msg failed NOGIBBERISH-FILTER (Message failed NOGIBBERISH-FILTER test (52)). Action=WARN. 09/22/2003 17:43:47 Q9709116000502df7 Msg failed REVDNS-FILTER (Message failed REVDNS-FILTER test (59)). Action=WARN. 09/22/2003 17:43:47 Q9709116000502df7 Msg failed ALLIGATE-SPAM-L1 (Message failed ALLIGATE-SPAM-L1: 30.). Action=WARN. 09/22/2003 17:43:47 Q9709116000502df7 Msg failed ALLIGATE-SPAM-L2 (Message failed ALLIGATE-SPAM-L2: 30.). Action=WARN. 09/22/2003 17:43:47 Q9709116000502df7 Msg failed SNIFFER-GENERAL (Message failed SNIFFER-GENERAL: 63.). Action=WARN. 09/22/2003 17:43:47 Q9709116000502df7 Msg failed SPAMCHECK (Message failed SPAMCHECK: -3.). Action=WARN. 09/22/2003 17:43:47 Q9709116000502df7 Msg failed WEIGHT16-35 (Total weight between 16 and 35.). Action=HOLD. 09/22/2003 17:43:47 Q9709116000502df7 Subject: resume submission 09/22/2003 17:43:47 Q9709116000502df7 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] IP: 209.202.220.160 ID: D67DAADE47 ===== The problem with this is that if you using HOPHIGH 1 or greater, JunkMail is running tests against the 0.0.0.0 address and coming back from the IP4R and RHSBLs with a match. I would request that JunkMail be set to never run tests against the 0.0.0.0 IP address, unless that IP address actually shows up in the received headers. Thanks, Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
