RE: [Declude.JunkMail] Fake IP Test

[Goran Jovanovic]

Title: Message

I created a ForgedHELO.txt test and put my servers IP address in it:   HELO 40 CONTAINS 205.150.108.8   I am deleting at WEIGHT40   If I understood this thread right why would you want to only weight your test at 50% of your hold//delete weight. I do not know of any instance (and someone can correct me) where incoming mail will legitimately have my servers IP address in the HELO string. Therefore it is SPAM and time to kill it.              Goran Jovanovic      The LAN Shoppe     From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Todd Sent: Friday, July 02, 2004 10:39 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Fake IP Test   Thanks,       I added this filter last night and I am seeing good results.  I have it weighted at 50% of my hold weight with a COPYTO my email so I can monitor it.     Todd ----- Original Message ----- From: Andy Schmidt To: [EMAIL PROTECTED] Sent: Thursday, July 01, 2004 12:48 PM Subject: RE: [Declude.JunkMail] Fake IP Test   Hi Todd:   It's this line that the other test is checking:       Received: from 65.16.167.134 ([211.249.122.134]) It discovers that the other side was using YOUR servers IP address in its own HELO string.   I'm pretty certain that the "HELOVALID" test in declude will catch that. - but, it will also be triggered for other conditions that are just sign of clueless mail admins.    You could also use a filter to look for your IP range in the string:       HELO  4    STARTSWITH [     HELO  8    STARTSWITH 65.16.167.   Best Regards Andy Schmidt H&M Systems Software, Inc. 600 East Crescent Avenue, Suite 203 Upper Saddle River, NJ 07458-1846 Phone:  +1 201 934-3414 x20 (Business) Fax:    +1 201 934-9206 http://www.HM-Software.com/ -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Todd Sent: Thursday, July 01, 2004 10:41 AM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Fake IP Test We are seeing more spam getting through triggering very few test. We have a secondary spam system and it has a test called RCVD_FAKE_IP that is rated at 80% of its hold weight.   Does Declude have something similar to this that I am not familiar with it?    Here is the header from an email that triggered the test.  The EF filters are for the secondary spam system.     Received: from mail2.smart-mail.net [65.16.167.134] by net.smart-mail.net   (SMTPD32-7.15) id AB4B3C000A0; Thu, 01 Jul 2004 04:37:15 -0500 Received: from 65.16.167.134 ([211.249.122.134])  by mail2.smart-mail.net (SAVSMTP 3.1.0.29) with SMTP id M2004070104363531669  ; Thu, 01 Jul 2004 04:36:42 -0500 X-Message-Info: VFOJY671eYayk6o4EOG324+hwoDFC357LFZwfs Received: from mail698.iemz.inbox.lv ([79.132.96.232]) by y799-hab790.inbox.lv with Microsoft SMTPSVC(5.0.2195.6824);   Thu, 01 Jul 2004 10:39:58 -0100 Received: from DMYES3 (kge27.58.206.86.e874.v.inbox.lv [236.3.143.229])  by mail92.xb.inbox.lv (3.4.44nqc14/9.238.82) with SMTP id vxe531B4OJPasl17007;  Thu, 01 Jul 2004 04:33:58 -0700 Message-ID: <[EMAIL PROTECTED]> From: "Gus Hebert" <[EMAIL PROTECTED]> To: user References: <[EMAIL PROTECTED]> Subject: *--Possible_SPAM--* hellenic Date: Thu, 01 Jul 2004 13:34:58 +0200 MIME-Version: 1.0 Content-Type: multipart/alternative;  boundary="--46420503988211891644" X-Spam-Status: Possible SPAM, hits=7.200000 required=5.000000         tests=RCVD_FAKE_IP_224:4.200000         tests=BAYES_90:3.000000         X-RBL-Warning: IPNOTINMX: X-RBL-Warning: ROUTING: This E-mail was routed in a poor manner consistent with spam [2000010f]. X-RBL-Warning: SPAMCHK: Message failed SPAMCHK: 10. X-RBL-Warning: EFFILTER: Message failed EFFILTER test (line 1, weight 0) X-RBL-Warning: EFFILTER5-9: Message failed EFFILTER5-9 test (line 2, weight 15) X-RBL-Warning: EFPOSSIBLESPAM: Message failed EFPOSSIBLESPAM test (line 2, weight 0) X-RBL-Warning: GIBBERISH: Message failed GIBBERISH test (line 410, weight 60) (weight capped at 60) X-RBL-Warning: WEIGHT75: Weight of 95 reaches or exceeds the limit of 75. X-Declude-Sender: [EMAIL PROTECTED] [211.249.122.134] X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for spam. X-Spam-Tests-Failed: IPNOTINMX, ROUTING, SPAMCHK, EFFILTER, EFFILTER5-9, EFPOSSIBLESPAM, GIBBERISH, WEIGHT75, CATCHALLMAILS [95] X-Note: Total spam weight of this E-mail is 95 . X-Note: This E-mail was sent from  ([211.249.122.134]).

<<image001.gif>>