I want to give some negative weight for the following mail headers
Received: from mx0.gmx.net [213.165.64.100] by mail.zcom.it (SMTPD32-7.15) id A9F343600D8; Sun, 19 Oct 2003 18:21:07 +0200
It's very hard to tell from these headers where the E-mail may have come from. What you want to look at is all the headers, in the proper order (as they will also include the Declude headers). As far as REVDNS goes, the most header is the "XINHEADER X-Note: This E-mail was sent from %REVDNS% ([%REMOTEIP%])" header, if you have one. That shows the reverse DNS entry. Otherwise, we have to guess here (unless we know your HOP/HOPHIGH settings and want to take the time to wade through those spam-like 9 Received: headers).
So I'm assuming the E-mail came from 213.165.64.100, and has a reverse DNS entry of mx0.gmx.de or mx0.gmx.net (per http://www.dnsstuff.com/tools/ptr.ch?ip=213.165.64.100 ).
REVDNS -5 ENDSWITH .grp.scd.yahoo.com
My question would be where you are getting ".grp.scd.yahoo.com" from. Did you look at one of the IPs in the Received: headers and look up the reverse DNS entry?
The filter was not triggered. I asume because it was forwarded by a GMX-Mailserver and so the grp.scd.yahoo.com is out of my HOPHIGH=1 settings.
Almost correct. The REVDNS test only looks at the IP address that connected to the IMail server (taking HOP/IPBYPASS into account), not any subsequent hops.
Question: What consequences can I expect if I increase the HOPHIGH-value to 3 of 4.
It won't change the outcome of the REVDNS test. However:
More false positives from Spam-Databases?
Very unlikely, unless you have dialup-type tests that do not have "DUL" or "DYNA" in them.
More successfull catches from Spam-Databases?
Sometimes. For example, if a spammer uses an open relay that forwards to a smart host, and the open relay is listed in a spam database but the smart host is not, the HOPHIGH could help catch that.
Longer processing times because the number of NS-lookups are doubled or trippled?
Correct. There will be a slight delay (typically a few seconds) as the extra DNS lookups are done (but, they will all be done as a batch in parallel, rather than one-at-a-time).
-Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection.
Find out what you've been missing: Ask about our free 30-day evaluation.
--- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
