RE: [Declude.JunkMail] HELO Filter not Working?
The short/direct answer is:
Declude gets it from the header. It doesn't "watch" the SMTP conversation.
That information is inserted by Imail (or a server you trust by specifying
IPBYPASS) by copying it from the HELO string.
It only makes sense once I thought about it.
Best Regards
Andy Schmidt
Phone: +1 201 934-3414 x20 (Business)
Fax:+1 201 934-9206
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry
Sent: Saturday, January 08, 2005 11:05 AM
To: Declude.JunkMail@declude.com
Subject: Re: [Declude.JunkMail] HELO Filter not Working?
> >Both, actually. Declude JunkMail gets the "HELO" from the real
> >HELO/EHLO from the SMTP envelope. The method Declude JunkMail uses
> >to obtain the HELO, however, is the headers.
>
>Ok, this is clear as mudwhich is it, envelope or headers?
The SMTP envelope contains information about the E-mail that may or may not
appear in the headers. The most common information is the true sender
("MAIL FROM") and the actual recipients (as they may be Bcc:s). There are
several SMTP envelopes as the E-mail passes from computer to computer, but
you can only access the true SMTP envelope on the current server.
However, some of the information from the SMTP envelope does go into the
headers. The HELO/EHLO will appear in the Received: header.
So it *is* as clear as mud. :) The information is obtained from the
headers, and is added to the headers from information that comes from the
SMTP envelope. So the information Declude JunkMail gets is the same as the
information in the SMTP envelope, but Declude JunkMail gets it from
somewhere else.
It's kind of like asking "Did you get Joe's number from the phone company?"
-- it kind of a silly question, the answer to which would not be obvious
(no, you got the number from Joe, but he got it from the phone company).
>Or is there a precedence, so in some circumstances it uses one and in
>others uses the
>other?
It's a moot point, really, except for scholars. Declude JunkMail will get
the same information from the SMTP envelope as it gets from the headers,
unless a trusted mailserver lies (in which case you have bigger problems),
or if an error occurs on the mailserver creating the headers (in which case
you also have bigger problems).
-Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers
since 2000.
Declude Virus: Ultra reliable virus detection and the leader in mailserver
vulnerability detection.
Find out what you've been missing: Ask for a free 30-day evaluation.
This outgoing message is guaranteed to be authentic by Message Level users.
Guarantee the authenticity of your email @ http://www.messagelevel.com.
---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list. To unsubscribe,
just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe
Declude.JunkMail". The archives can be found at
http://www.mail-archive.com.
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
Re: [Declude.JunkMail] HELO Filter not Working?
>Both, actually. Declude JunkMail gets the "HELO" from the real HELO/EHLO
>from the SMTP envelope. The method Declude JunkMail uses to obtain the
>HELO, however, is the headers.
Ok, this is clear as mudwhich is it, envelope or headers?
The SMTP envelope contains information about the E-mail that may or may not
appear in the headers. The most common information is the true sender
("MAIL FROM") and the actual recipients (as they may be Bcc:s). There are
several SMTP envelopes as the E-mail passes from computer to computer, but
you can only access the true SMTP envelope on the current server.
However, some of the information from the SMTP envelope does go into the
headers. The HELO/EHLO will appear in the Received: header.
So it *is* as clear as mud. :) The information is obtained from the
headers, and is added to the headers from information that comes from the
SMTP envelope. So the information Declude JunkMail gets is the same as the
information in the SMTP envelope, but Declude JunkMail gets it from
somewhere else.
It's kind of like asking "Did you get Joe's number from the phone company?"
-- it kind of a silly question, the answer to which would not be obvious
(no, you got the number from Joe, but he got it from the phone company).
Or is there a precedence, so in some circumstances it uses one and in
others uses the
other?
It's a moot point, really, except for scholars. Declude JunkMail will get
the same information from the SMTP envelope as it gets from the headers,
unless a trusted mailserver lies (in which case you have bigger problems),
or if an error occurs on the mailserver creating the headers (in which case
you also have bigger problems).
-Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers
since 2000.
Declude Virus: Ultra reliable virus detection and the leader in mailserver
vulnerability detection.
Find out what you've been missing: Ask for a free 30-day evaluation.
This outgoing message is guaranteed to be authentic by Message Level users.
Guarantee the authenticity of your email @ http://www.messagelevel.com.
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
Re: [Declude.JunkMail] HELO Filter not Working?
>Both, actually. Declude JunkMail gets the "HELO" from the real HELO/EHLO >from the SMTP envelope. The method Declude JunkMail uses to obtain the >HELO, however, is the headers. Ok, this is clear as mudwhich is it, envelope or headers? Or is there a precedence, so in some circumstances it uses one and in others uses the other? Darin. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] HELO Filter not Working?
>> Remember, Declude JunkMail looks at the HELO/EHLO of the remote mailserver, based on IPBYPASS/HOP << Uh - that's the answer. Thanks for clearing this up. So the "HELO" is not necessarily taken from the HELO, but from the HEADER. Both, actually. Declude JunkMail gets the "HELO" from the real HELO/EHLO from the SMTP envelope. The method Declude JunkMail uses to obtain the HELO, however, is the headers. Note that if Declude JunkMail used IMail's SMTP envelope as the method of obtained the HELO, Declude JunkMail could get the wrong HELO (as would be the case if there are gateways). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] HELO Filter not Working?
Hi, >> Remember, Declude JunkMail looks at the HELO/EHLO of the remote mailserver, based on IPBYPASS/HOP << Uh - that's the answer. Thanks for clearing this up. So the "HELO" is not necessarily taken from the HELO, but from the HEADER. That certainly explains it. Best Regards Andy Schmidt H&M Systems Software, Inc. 600 East Crescent Avenue, Suite 203 Upper Saddle River, NJ 07458-1846 Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 http://www.HM-Software.com/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Friday, January 07, 2005 03:32 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] HELO Filter not Working? >Here is the Imail 8 log: > >01:07 13:13 SMTPD(d15f7804014ea63d) [63.107.174.14] connect >67.132.45.18 >port 2525 >01:07 13:13 SMTPD(d15f7804014ea63d) [67.132.45.18] EHLO mail.dollardays.com >01:07 13:13 SMTPD(d15f7804014ea63d) [67.132.45.18] MAIL FROM:... > >I set up a filter to simpify reporting on mail coming from a certain >gateway: > >REMOTEIP -1 IS 67.132.45.18 >HEADERS -2 CONTAINS X-Virus-Scanned: SpammerTrap >HELO -4CONTAINS mail.dollardays.com Do you have %HELO% in the headers anywhere? If so, that should show you what Declude JunkMail is looking at. Remember, Declude JunkMail looks at the HELO/EHLO of the remote mailserver, based on IPBYPASS/HOP settings, so it may not be the same as what IMail sees (but should always be the same if IPBYPASS/HOP is not being used). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] HELO Filter not Working?
Here is the Imail 8 log: 01:07 13:13 SMTPD(d15f7804014ea63d) [63.107.174.14] connect 67.132.45.18 port 2525 01:07 13:13 SMTPD(d15f7804014ea63d) [67.132.45.18] EHLO mail.dollardays.com 01:07 13:13 SMTPD(d15f7804014ea63d) [67.132.45.18] MAIL FROM:... I set up a filter to simpify reporting on mail coming from a certain gateway: REMOTEIP -1 IS 67.132.45.18 HEADERS -2 CONTAINS X-Virus-Scanned: SpammerTrap HELO -4CONTAINS mail.dollardays.com Do you have %HELO% in the headers anywhere? If so, that should show you what Declude JunkMail is looking at. Remember, Declude JunkMail looks at the HELO/EHLO of the remote mailserver, based on IPBYPASS/HOP settings, so it may not be the same as what IMail sees (but should always be the same if IPBYPASS/HOP is not being used). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
