This test is very effective at flagging or blocking spam from mail hosts that attempt to connect to your mail server and announce your own hostnames or IP addresses to it in their HELO string, especially if your IMail/Declude server is directly sending and receiving mail from the Internet (less functional, but still works if relaying via mail gateway to IMail/Declude). This filter looks for the bogus HELO info in the headers. In my testing, 100% of the messages delivered by these mail hosts is spam.
Think about it, why would any other legitimate mail server out there attempt to connect to your mail server announcing your own hostname or IP address in its HELO string? The answer is, it wouldn't. Anyway, here is the test I use to detect these. In global.cfg: FORGEDHELO-FILTER filter M:\IMail\Declude\ForgedHelo-Filter.txt x 7 0 In ForgedHelo-Filter.txt file: ===== # In case you have mail gateways, deduct equal weight for these hosts HELO -7 ENDSWITH gw1.yourdomain.com HELO -7 ENDSWITH gw2.yourdomain.com # Remote mail hosts connecting and announcing your IP addresses HELO 0 CONTAINS xxx.xxx.xxx. HELO 0 CONTAINS xxx.xxx.xxx. # Remote mail hosts connection and announcing your hostnames HELO 0 ENDSWITH your-host.com HELO 0 ENDSWITH your-host.net HELO 0 ENDSWITH cust-host.com HELO 0 ENDSWITH cust-host.net ===== If you are not already running a test like this, try it out. I think you will find that it will flag lots of spam. Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
