One of my users received a spammy message which accumulated enough weight to reach our HOLD action.
What I think happened is that the HELO, which has various high-bit characters which are illegal in a HELO caused bad parsing of that line in the header... The BADHEADERS and HELOBOGUS were both tripped, but this email (which came from a zombie, therefore only one hop in the header) listed the remote IP as [0.0.0.0] If the remote IP was detected correctly, the DNS tests would have lit up like a Christmas tree, because the IP is a zombie that has been running for some time. On logging level HIGH, Declude only logged two lines: 01/26/2007 21:50:13.793 qe80700f900003d7a.smd BADHEADERS:6 HELOBOGUS:5 DYNHELO:6 SNIFFERMEDIA:11 SNIFFERANY:1 (snip) . Total weight = 41. 01/26/2007 21:50:13.793 qe80700f900003d7a.smd Cumulative action(s) taken on this email = NO ACTIONS WERE TAKEN I've bundled up the message, the Declude and IMail log lines and sent them to Declude Support. Andrew. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.