I have created a similar test that you pass teh %HELO% variable to here is my setup. I have 0 0 for the weights because I am still testing.
I have found 1 false positive classmates.com has the ip xx-xx-xx-xx.classmates.com in their helo string. I have also seen a few of our customers sendign wellformed ip addresses as the helo string [xxx.xxx.xxx.xxx]. CIP-WellFormed external 10 "D:\Imail\declude\ContainsIP.exe %HELO%" 0 0 CIP-OnlyIp external 11 "D:\Imail\declude\ContainsIP.exe %HELO%" 0 0 CIP-FullMatch external 12 "D:\Imail\declude\ContainsIP.exe %HELO%" 0 0 CIP-LeadingTextMatct external 13 "D:\Imail\declude\ContainsIP.exe %HELO%" 0 0 CIP-TrailingTextMatch external 14 "D:\Imail\declude\ContainsIP.exe %HELO%" 0 0 Here is an example of each type of test match WellFormed - [12.9.25.244] This would be an AT&T ip address wellformed in the HELO OnlyIp - 12.9.25.244 or 12-9-25-244 FullMatch - cpe-069-132-189-042.carolina.rr.com or client-200.106.20.200.speedy.net.pe LeadingTextMatch - xx3-client64-27-5-222-test.com TrailingtextMatch - xx3-client64-27-5-222test.com although this has a Leadgin and Trailing the Trailing will be the one returned. I have seen one abnomily with my code which I have not found a good way arround wbar1.tampa1-4-4-052-139.tampa1.dsl-verizon.net would match on 1.4.4.52 and return a LeadingTextMatch Here are my tats from yesterday for this test Total unique messages scanned: 3645 CIP-FullMatch : 78 3.31 % 2.14 % CIP-LeadingTextMatch: 15 0.64 % 0.41 % CIP-OnlyIp : 76 3.23 % 2.09 % CIP-WellFormed : 1 0.04 % 0.03 % Out of these there was 1 wellformed ip in the helo from a customer (it was also the only wellformed match for the day) I am not going to add weight for well formed ip address in the HELO 2 false positives from classmates.com 8 messages in the hold queue that would have been deleted if I was adding weight 4 messages that would have been held if I was adding weight Since the string to search is being passed as a variable you could use this test with the reverse dns string or pass any declude variable to the test. If anyone wants a copy let me know and I will send it to you. It is a .net 1.1 application I will be more than willing to add tests if anyone can think up any others that have a high probability of being spam. Kevin Bilbee --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.