Just a thought .... You extract the registrar barrier part of the host name and the same for the helo. Many hosts that send good email this would match. For example yahoo.com would have yahoo.com in both the host and the helo.
Then after tracking these and developing a list of hosts that do this then we see a host that the helo claims to be yahoo.com but the rdns says otherwise. The idea is that if they are on the list of having matched then when they don't match it might be a spam indicator? -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
