Kevin, I suspect that you're right, and that 99.9% of the time, your rule would hold true.
I would suggest that the IP address in the HELO would have to match the reverse DNS exactly, though. I also think that it this observation would also hold true if the HELO is an IP address and there is no reverse lookup, or the reverse lookup times out. I think running that as a test for a while would bear that out; let us know if you code that up and want to test it on some more systems... Andrew 8) -----Original Message----- From: Kevin Bilbee [mailto:[EMAIL PROTECTED] Sent: Saturday, September 18, 2004 12:09 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Idea I was looking through my smaps and legitimate email. I have noticed an interesting thing. When there is an ip address in the hello and the hello matches the reverse dns then it is always spam. I can not find one example of a legitimate email that has these properties. What do you think??? I can update my contains ip test to support this type of test also???? Kevin Bilbee --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
