Yet this piece of mail did come though with a very low rate and didn't fail the HOLOBOGUS ?
Received: from fament.com [63.165.214.42] by imail.fament.com with ESMTP (SMTPD32-8.03) id AD019930280; Sat, 22 Nov 2003 19:27:29 -0600
That's because the HELO is "fament.com", and fament.com has an MX record. Therefore, it is a valid HELO.
However, 63.165.214.42 is not in the MX record of fament.com, so:
X-Tests-Failed: IPNOTINMX, REVDNS.
it failed the IPNOTINMX test.
Wouldn't helobogus add it's weight to it ? Or have I miss understood the helobogus test ? How can I punish servers that try claim be from my domain like the above ?
HELOBOGUS just looks for bogus HELO entries (such as random characters, IPs masquerading as hostnames, and made-up domains).
IPNOTINMX checks for IPs that aren't listed in the sender domain's MX records (note that it is not unusual for legitimate mail to be sent this way).
In this case, SPAMDOMAINS may be the best answer, as it will require the reverse DNS entry of the sending computer to include the domain name in the return address -- but only for domains that you specify. So if you list "fament.com", this mail would have been caught. But if you do list your domain, you need to be sure that people sending mail through your server come from IPs with your domain in the reverse DNS entry.
And how could the score end up at -2 ? What is the math behind it.
Declude JunkMail adds all the weights for the E-mail, which came out to -2 here.
The confusing parts are things like negative weights (either kind -- a test that has a weight of "-2", or a test that has a weight that is added for E-mail that does NOT fail the test, like the IPNOTINMX and NOLEGITCONTENT tests), and filters where multiple lines can match.
-Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection.
Find out what you've been missing: Ask about our free 30-day evaluation.
--- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
