Robert, you would use a filter file for this, e.g. #First, escape this file if the source is on your own network REMOTEIP END CIDR 208.100.26.0/24 REMOTEIP END CIDR 192.168.0.0/24 #Skip this whole test if we are already above a hold weight of 20 SKIPIFWEIGHT 25
#Apply a maximum total weight of 20 points MAXWEIGHT 20 #These three penalty weights were constructed to prevent #false positives where you are penalizing a hypothetical #legitimate host, e.g. outbound.forgive.com #Apply a penalty if the forged HELO is your exact domain name HELO 20 IS igive.com #Apply a penalty if the forged HELO contains a host in your domain name HELO 20 ENDSWITH .igive.com #Apply a tiny penalty if the HELO, forged or not, contains your domain HELO 3 ENDSWITH give.com I suggest that you always make the weights heavy enough to hold the message, because if you delete it and it was a false positive, you can't recover it. A variation of this would be to get rid of the third test, and only keep the first two. Then set the weight to say, a single point instead of 20. Then in your global.cfg or your domain specific file, specify an action of HOLD. Declude gives you a lot of flexibility to design the test you want, but this scratches this surface. I hope that helps, Andrew. > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Robert Grosshandler > Sent: Thursday, April 26, 2007 1:45 PM > To: declude.junkmail@declude.com > Subject: [Declude.JunkMail] Ever legit? > > Hi > > > We get e-mails that contain the following header (or > something similar): > > Received: from igive.com [71.250.241.101] by smtp.igive.com with ESMTP > (SMTPD-9.20) > > The 71.xxx.xxx.xxx isn't ours. That IP can vary, but it is > never ours. > > Are there any legit mailers that would send something in this form? > > If not, what's the best way to score this over my delete weight? > > Thanks, > > Rob > > > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be > found at http://www.mail-archive.com. > > --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
