Yes, it's called HELO tests. This example you give should be tagged with FORGED_RCVD_HELO
And SA does loads more HELO tests by default, if it's not working there's probably something wrong with your DNS setup (missing Net::DNS or something like that). Go the the /usr/share/spamassassin/ dir and do a 'grep HELO *' and see how much it comes up with. -Sietse -----Original Message----- From: John van Oppen [mailto:[EMAIL PROTECTED] Sent: Friday, December 22, 2006 23:54 To: users@spamassassin.apache.org Subject: test of HELO addresses So, what I am looking for is a test that looks up the HELO address in DNS and compares it to the IP that it was sourced from. I have some spam with the following received characteristics which would have been a great demo for this possible test: Received: from cpe-76-190-23-240.woh.res.rr.com (HELO earthlink.net) (76.190.23.240) by 0 with SMTP; Fri, 22 Dec 2006 14:48:14 -0800 From: "Kristi B Valladares" <[EMAIL PROTECTED]> What I want to do is lookup the HELO data in DNS (in this case earthlink.net) and confirm that the IP it was received from (in this case 76.190.23.240) is not the IP address (or even in the same subnet) that the HELO resolves to. Is there a test that already does this? Thanks, John
