Scott, looks like people are starting to try and hide their internal IP address through some rather bazaar means. We have been getting quite a few of these (e-mail addresses changed to protect the innocent):
Do you have the full (or at least all the Received:) headers of such an E-mail?
This should only happen if there is a gateway that is not properly recording the IP of the remote mailserver.
The problem with this is that if you using HOPHIGH 1 or greater, JunkMail is running tests against the 0.0.0.0 address and coming back from the IP4R and RHSBLs with a match. I would request that JunkMail be set to never run tests against the 0.0.0.0 IP address, unless that IP address actually shows up in the received headers.
Declude JunkMail is already programmed to skip the IP-based spam tests if the IP is 0.0.0.0. Unfortunately, while Declude JunkMail is able to scan multiple hops, there is a wide variety of formats that mailservers use to record IPs (since recording IPs isn't mandatory, so some do strange things like include the IP address in a non-standard format within a comment), and there are ways spammers can bypass them. For example, if a mailserver doesn't use the proper format of "from hostname.example.com [192.0.2.25]", but instead uses "from hostname.example.com (192.0.2.25)", then a spammer could use a HELO of "[0.0.0.0]", which would change that to "from [0.0.0.0] (192.0.2.25)", in which case Declude JunkMail would see the IP as 0.0.0.0 (which in fact it is in this case, according to the RFCs).
Hopefully, from the headers, I will be able to see if Declude JunkMail can be doing anything differently to handle this, and see why it may be looking up 0.0.0.0.
-Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection.
Find out what you've been missing: Ask about our free 30-day evaluation.
--- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
