I just grabbed the new 70_sare_header.cf and have gotten a couple of ham emails that are triggering the SARE_RECV_SUSP_3 rule -- which is "Dotted quad hostname doesn't match HELO dotted quad." However, I'm not sure why that is. Does it apply only to the HELO to MY server? Or does it check previous servers also? Here are the headers:
Received: from portalmail.gmhwh.org (portalmail.gmhwh.org [12.110.19.29] (may be forged)) by frobozz.dcg.com (8.12.11/8.12.11) with ESMTP id i5FKQ52F022626 for <[EMAIL PROTECTED]>; Tue, 15 Jun 2004 16:26:06 -0400 Date: Tue, 15 Jun 2004 16:26:05 -0400 Message-ID: <[EMAIL PROTECTED]> Received: from 192.168.20.11 ([192.168.20.203]) by portalmail.gmhwh.org; Tue, 15 Jun 2004 14:25:39 -0600 Now, for that first received -- when it actually gets to our machine (frobozz), it looks proper to me (even though sendmail says "may be forged" -- I'm not sure why it does). 12.110.19.29 does resolve to portalmail.gmhwh.org properly. I just noticed that portalmail.gmhwh.org does not resolve to anything -- is that why? Or is it something else? Just trying to fully understand it. Thanks! - John...
