Because of this, the bogus HELO test should contain an exclusion with equal weight as is configured in the Global.cfg file. Since Netscape 4 uses a different marker in the headers (X-Mailer: Mozilla) than modern versions (User-Agent: Mozilla), I would suggest the following:
HEADERS -7 CONTAINS mozilla
This won't cause any points to be credited overall in the event that you have Netscape/Mozilla users, but it will trip the test every time someone uses this browser. Adding multiple exceptions though could become problematic.
Scott, just in case you haven't noticed, there are A LOT of examples where having the ability to defeat a filter on one or many counterbalances would be very helpful, and aid greatly in administration by having them not show up as failed tests. This would be especially useful in situations where there are multiple potential exceptions and sometimes too much credit might be given (see my anti-gibberish filters and all the redundant tests). Having this capability would be a huge help, and it would open up many more doors for us.
Thanks,
Matt
Robert Whitaker wrote:
We found out that mail from netscape always seems to come from the domain after the @ sign. If the address of the sender was set to [EMAIL PROTECTED] would show up as received from thisname.com [x.x.x.x] what their ip address is. We noticed this when AOL started making changes and some of our mail wasn't being accepted from netscape users. Whatever we changed the domain to is where it claimed to be from.
Robert First time poster Thought I would share.
---------- Original Message ---------------------------------- From: Matthew Bramble <[EMAIL PROTECTED]> Reply-To: [EMAIL PROTECTED] Date: Tue, 23 Sep 2003 18:44:49 -0400
It was set as "Syracuse" as the machine name, however I also tested this on my own machine by sending E-mail to myself and got the same result. I just now tested Outlook Express from the same computer and it doesn't have that behavior...this is something that Netscape 7 does (and maybe other versions).
This shouldn't affect mail sent by Netscape Mail from other SMTP servers because I'm sure those servers will be replacing that domain with their own, so it's only a problem that affects people using Netscape Mail and are have it set up with an alias lying on a different domain than that of their SMTP server settings. It seems to be very strange behavior for a mail client. I think I only have 3 accounts in use with this configuration and Netscape, so I can work around that until I decide that IMail 8 is safe.
Thanks for the routing tips and info about your filters. I think I have a couple of those router filters already, but it won't hurt to add a few more. I didn't realize that the forged IP sent with HELO could be blocked at the router (please correct me if this is not the case).
Matt
Karen D. Oland wrote:
what did he set the computer name to in Windows? Admittedly, I haven't tried netscape, but I always get just the pure computer name in the HELO/EHLO when remote (it has NOTHING to do with the account name for email on any system I've tried, most of which use IE or outlook)
K
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Matthew Bramble Sent: Tuesday, September 23, 2003 2:36 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Another very effective filter test
Here's an example of what I'm talking about:
Received: from nycars.com [24.92.238.169] by igaia.com with ESMTP
I host both of these domains, though that is the IP of a cable modem
account. What's happening here (I have confirmed this) is that the
connecting computer has an actual account on igaia.com and is set up for
SMTP using that domain. His from address in his E-mail program though
says [EMAIL PROTECTED] (he has an alias there) and somehow the server
isn't using his computer name, but instead is using the domain in his
from address that is also hosted on my server.
--- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
