>TeleFinder logs the "HELO" name, but does not use it. >"sf-dnpqh-156.compuserve.net" is the name TF uses in spam blocking. It >is possible that the client machine has both names, you'd need to do a >complete NS lookup for that.
Hmm. a really cool utility would be to automatically do an NS lookup on any site identified as a SPAM site and then add the names of all domains it found to the Filtered Domains list, and send the "Postmaster" or "root" a message explaining that mail from their sites will no longer be accepted due to the SPAM content.
>The "MAIL FROM" is whatever the client systyem provides, its not >necessarily related to the headers in the message. I don't know if it >is more likely to be different in SPAM or not.
The only legitimate reasons for a difference between "HELO" and "CONNECTED TO:" might be a firewall or proxy or a load balancing scheme involving multiple mail server CPU's. A user can configure their email client to say anything in the "MAIL FROM" especially if they have multiple providers and wish to direct replies to a specific one. --- Daniel O'Leary, Sysop KloneZone Mac - A TeleFinder 5.7 Mac/Windows BBS