The following message could not be delivered to scott@newgeo.com at host 
newgeo.com (64.84.37.6) because the message content was rejected.
550 5.7.0 Text signature used in spam traffic detected (code: W-369810). Resend in 24 hours or contact the domain's postmaster.

-----
Received: from [63.175.177.201] (63.175.177.201) by mail.deepskytech.com
 with ESMTP (Eudora Internet Mail Server 3.2.6) for <scott@newgeo.com>;
 Fri, 18 Mar 2005 15:09:44 +0000
Date: Fri, 18 Mar 2005 15:10:41 +0000
From: "Steven G. Willis" <sgwillis@deepskytech.com>
Subject: Re: bogus mail from rule
To: Scott Haneda <scott@newgeo.com>
X-Priority: 3
In-Reply-To: <BE5FC161.242A7%scott@newgeo.com>
Message-ID: <r02010500-1038-E5197C2297BF11D9A9AF000A9574695C@[63.175.177.201]>
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: quoted-printable
X-Mailer: Mailsmith 2.1.5 (Blindsider)

It hath once been written:

>I am curious to have this explained:
>
>Thu, Mar 17, 2005 5:38:13 PM -0800      Denes: (TEST) Blocked no MX record
>for lists.savingzbuy.com from mail.savingzbuy.com (209.51.131.218). Mail
>from <list3-return-68@lists.savingzbuy.com>, recipient
><captrust@rustall.com> using rule "BOGUSMAILFROM" in 1870 ms
>
>;; ANSWER SECTION:
>lists.savingzbuy.com.   43200   IN      CNAME   savingzbuy.com.
>savingzbuy.com.         43200   IN      MX      5 savingzbuy.com.

See my previous email... This is one of the bugs we have found in the
mx_host_ip_exists logic for the NS lookups. We should have this corrected in
Denes v1.1.1.

Basically, we are not looking for the CNAME record referencing a different MX
host.

>Also, my prefs are this:
>Perform MAIL FROM Lookup When Empty = 0
>MAIL FROM Username When Empty =
>MAIL FROM Domain When Empty =
>
>To me, this page 
><http://www.deepskytech.com/prod_eimsfilters/denes/coolrules/bogusmailfrom_0
>1.html> is not clear on what and how to set this pref up.
>
>* I suspect the above to be spam anyway.

It basically depends on what you want done with SMTP connections where the MAIL
FROM is empty.

I would bet that for _most_ installations at this time, leaving the previous as
you have them (which would then skip the lookup) would work for the
BogusMAILFROM rule.

But, by leaving it turned off (lookups for empty MAIL FROMs), you then expose a
different problem: email from IPs on a DNSBL you use would not be blocked by
Denes if the MAIL FROM was empty.

Personally, I think the best values to set for this are the _enable_ the lookups
for empty MAIL FROMs and put in a username and domain to substitute that would
be considered local. For instance, for us here at Deep Sky Tech, I use the
username of "empty_mf" and domain of "deepskytech.com".

Think through the implications of this on the different rules you run and I bet
you will see what this ends up doing then.

Let me know if you have any further questions.

Cheers!

================================================================
Steven G. Willis     sgwillis@deepskytech.com       866.224.3058
Deep Sky Technologies, Inc.          http://www.deepskytech.com/
http://www.badchickens.com/         http://www.store-secure.com/
AIM-iChat: dstisgwillis
================================================================
        Thankfully they created the word 'muffin'
     else I would be eating a cupcake for breakfast
================================================================