When an e-mail matches a DNS black list from the DNS black list (insert X-Header) section of the Connection Filtering tab, an X-Header is inserted into the message. X-Headers are also inserted when a message fails a validation test, or if the Insert X-Header spam action is selected on the Content Filtering tab. This X-Header line indicates which spam test the message failed.
Also included in the X-Header is an IP address or CNAME, that explains why the message is on the black list. Each black list has different reasons for why an IP address is blacklisted such as, dialups, bulk mailers, spammers and open relays.
Each black list also has different ways of categorizing the IP addresses. Some use different domains (query domains) to separate IP addresses based on the reason they are blacklisted. This type of categorization allows you to select the reasons for which you do not want to accept black listed mail, and use the domain that contains IP addresses for that reason.
Other black lists return a reason code/IP address (i.e. 127.0.0.3) to indicate why an IP address is black listed. Although all IP addresses are listed in one domain, each will contain a reason code. For example, a code of 127.0.0.3 may represent a dialup account, and a code of 127.0.0.4 might represent a bulk mailer. The Fiveten black list is an example of one of these black lists.
Unfortunately, there is no standard across black lists. One black list may use separate query domains, and another may use reason/IP codes. Likewise, there is no standard across reason/IP codes. For one black list, 127.0.0.3 may represent dial ups, and on another black list this code may represent bulk mailers. The best resource for finding out this information is the black list itself. By going to their websites, you can learn how each black list classifies the listed IP addresses.
An example and a table of all possible anti-spam X-Headers are shown below.
X-Header Example 1:
X-Header Example 2
X-Header Explanation X-IMAIL-SPAM-ADDRBL: (name_of_service, message_ID, IP address/reason) The message matched an ADDR black list. X-IMAIL-SPAM-DNSBL: (name_of_service, message_ID, IP address/reason) The message matched a DNS black list. X-IMAIL-SPAM-HELOBL: (name_of_service, message_ID, IP address/reason) The message matched a HELO/EHLO black list. X-IMAIL-SPAM-HELODOMAIN: (domain_name) The message failed the HELO/EHLO domain validation. X-IMAIL-SPAM-INVALIDFROM: (from_address) The message contained an invalid "FROM" address. X-IMAIL-SPAM-IP4R: (name_of_service) The message matched an IP4R(PTR) black list. X-IMAIL-SPAM-STATISTIC: (<message ID>,<spam probobility>) The message has been identified as spam by the statistical filter. X-IMAIL-SPAM-REVDNS: (ip_address) The message failed a DNS lookup based on the IP address. X-IMAIL-SPAM-RHSBL: (name_of_service, message ID, IP address/reason) The message matched a RHS black list. X-IMAIL-SPAM-PHRASE: (<message ID) A phrase in the message matched the phrase list. X-IMAIL-SPAM-VALFROM: (<message ID>) The message failed the "MAIL FROM" address validation. X-IMAIL-SPAM-VALREVDNS: (<message ID>) The message failed the reverse DNS lookup validation. X-IMAIL-SPAM-VALHELO The message failed the HELO/EHLO domain validation. X-IMAIL-SPAM-FEATURES:(<message ID>, <found features>) The message contained the specified HTML tags. X-IMAIL-SPAM-URL-DBL:(<message ID>,<domain>) The message contained HREF or IMG SRC tags with links to a domain name listed in the URL Domain Black List.