headers you may see in your e-mail and how to use them to decide which ones to block on

these headers still part of public beta of mailfiltering system so content and format subject to change ATM blocking on any of these headers will be available to users when the beta is finished and the final list of tests/header format is stable

any and all of the errors listed below in the bloc warn or Dumb catagories can be easily remedied by a compitent admin of the sending mailserver or its associated DNS, if you notice these errors on legitimate e-mail please feel free to instruct the remote sender to contact the admin to make them aware of the issue, and refer them here for information on making their mailsystem more easily athenticated/traceable and trustable to others [if we ever get all legit MTA's to use all these verification systems {so we can safely block on failure} we would wipe out most bot-direct-to-MX spam near instantly]

firstly encouraging connection-providers to not offer non-auth relay to customers and their bots, and later [when all bots start stealing auth details] they will dissallow autenticated users from envelope-spoofing, ensuring the infected user is alerted via ligitimate-bounce of their bot-infestation

additionally if then all-bots are all forced to use smtp-auth via freemail or free-webmail at least their will be financial incentive placed on them to clean up their networks/users

if you are a mailserver owner/admin who has been directecd here by a user/errorlog etc, and you need any of these terms explained or a helping hand fixing any of the issues feel free to contact myself for consultation, [small fixes will be free] but large work will require you to pay some sort of reduced consultancy fee [reduction is because anything making spam/ham easier to tell apart is good for everyone], yes i can remote-work on any system you can access{with your permission/co-operation}

additionally if wanting to find/fix the issues yourself please read this guide to running a valid-looking mailserver

warnings beside header X-AD-RPFS-DUMB-ADMIN-BUT-NOT-SPAM:

Now moved to X-AD-RPFS-DUMB-3 as well as X-AD-RPFS-LART being renamed to X-AD-RPFS-DUMB-0 to 2

warnings beside header X-AD-RPFS-BLOC-3:

few users see these as most mail failing these Sending-host-Protocol level tests is rejected by the server and thus never delivered to you the user

HELO-CHANGE-INVALID: Bot-Spoor : Its not nornal for an valid MTA to CHANGE its HELO/EHLO name mid-connectio, you tried "$acl_c_helo" earlier and now re-tried with "$sender_helo_name" (See RFC2821}
HELO-_-INVALID: Bot-Spoor or dumb Exchange server admin: Invalid HELO name sender_helo_name contains Underscores _ (See RFC2821 4.1.2)
HELO-\-INVALID: Bot-Spoor : Invalid HELO name sender_helo_name contains backslash \ (See RFC2821 4.1.2)
HELO-/-INVALID: Bot-Spoor : Invalid HELO name sender_helo_name contains forwardslash / (See RFC2821 4.1.2)
HELO-ISIP-INVALID: Bot-Spoor : Invalid HELO name sender_helo_name is an IP not [IP] (See RFC2821 4.1.3)
HELO-1918-IP-INVALID: Bot-Spoor : Invalid HELO name sender_helo_name is an RFC1918 [IP] address
HELO-MYIPP-INVALID: Bot-Spoor : Invalid HELO name sender_helo_name is my [IP] address
HELO-NO-.-INVALID: Bot-Spoor : Invalid HELO name sender_helo_name has no . in it (See RFC2821 4.1.1.1)
HELO-ENDS-.-INVALID: Bot-Spoor : Invalid HELO name sender_helo_name has ended with . (See RFC2821 4.1.1.1)
HELO-..-INVALID: Bot-Spoor : Invalid HELO name sender_helo_name has a . followed directly by a . (See RFC2821 4.1.1.1)
HELO-TLD-INVALID: Bot-Spoor : Invalid HELO name sender_helo_name has ended with a non-existant TLD such as .local .localhost .localdomain .invalid .lan .adsl (See RFC2821 4.1.1.1)
HELO-ME-INVALID: Bot-Spoor : Invalid HELO name sender_helo_name has used my name FORGERY
HELO-MINE-INVALID: Bot-Spoor : Invalid HELO name sender_helo_name has used one of my domains FORGERY
HELO-CHECK-NA-FAIL: Bot-Spoor : Invalid HELO name sender_helo_name is an [IP] address but not the sender_host_ip_address - likely forgery or very sloppy admin - can verify helo/ehlo without DNS or SPF sender_helo_name is an IP enclosed in [] but NOT sender_host_ip_address - also Sender host SHOULD use dns names in modern internet

warnings beside header X-AD-RPFS-BLOC-2:

few users see these as most mail failing these Message-Content level tests are rejected by the server and thus never delivered to you the user

SA-SCORE-xx.x SA-BAR-(++++++++++) SA-SPAM-YES: Spam : Spam Assassin assigned a score of 10 or more to the body of the message thus it is irrefutably spam

warnings beside header X-AD-RPFS-BLOC-1:

few users see these as most mail failing these Sending-host-Reputation level tests are rejected by the server and thus never delivered to you the user

IP-MANUAL-BL-XXXXX: Spammer : sender_host_ip_address is manually blacklisted by local administrator for reason XXXXXX
IP-DNS-BL-dnslist_domain "dnslist_text": Spammer : sender_host_ip_address is listed in dnslist_domain == the blacklist, dnslist_text == their explanation of the listing, ie they regard this IP as a source of spam additionally the DNSBL is regarded as seldom wrong
HELO-CSA-FAIL: Forgery : Forgery or Sender CSA is very badly run - can verify helo/ehlo by CSA but result claims this host is a forgery sender_helo_name is NOT allowed to be used by sender_host_ip_address

warnings beside header X-AD-RPFS-BLOC-0:

few users see these as most mail failing these valid-mta level tests are rejected by the server and thus never delivered to you the user

but newer checks enforcing ptr and helo spf dkim and other technologies for authenticating mail/senders will add the header in a non-blocking mode for long enough for the user to reqest that broken senders gets whitelisted or fixed, because apparently many admins of so clalled 'legitimate' mailservers do not understand the neccessity or FQRDNS and many have pure crap/lies in their HELO identities additionally several completely mess up their SPF for those HELO identities

if as a reciever of these e-mails you can email/phone/contact or in other ways convince the admin of the sending system to fix their dns{ptr a spf or csa} or Helo identitfier it would be greatly appreciated by the internet in general, and feel free to put them in contact with me

As help you can point them at my rough guide to setting up Mailservers to be valid-looking

IP-DNS-PTR-A-FAIL: Forgery : forged DNS PTR record or incredibly sloppy admin, sender_host_ip_address has forged RDNS as all DNS lookups of PTR record(s) suceeded and provided name(s), and all lookups of the returned name(s) succeeded, still none of those IP's matched to even the same network as this sender_host_ip_address thus attempted forgery of the PTR record for this IP proven
HELO-DNS-FAIL: Forgery : likely forgery or very sloppy admin - can NOT verify helo/ehlo with DNS sender_helo_name is NOT sender_host_ip_address, and not a "little off" its nowhere near, not even in the same Class C, as that would give HELO-DNS-NEAR
HELO-SPF-HARDFAIL: Forgery : Forgery or Sender SPF is very badly run - can verify helo/ehlo by SPF but result claims this host is a forgery sender_helo_name is NOT allowed to be used by sender_host_ip_address

warnings beside header X-AD-RPFS-WARN-3:

these are errors so severe that most hosts will reject the mail at the server but some of you demand to get mail from even badly configured hosts, rather than rejecting it and forcing them to fix their systems

As help you can point them at my rough guide to setting up Mailservers to be valid-looking

IP-DNS-PTR-NONE: Bot-Spoor / Forgery : no DNS PTR record thus host should not be considered part of the internet and sloppy admin, sender_hostst_ip_address has no RDNS as all DNS lookups of PTR record(s) gave a 'no such ip' response
IP-DNS-PTR-A-NONE: Bot-Spoor / Forgery : possibly forged DNS PTR record or sloppy admin, sender_host_ip_address has forged RDNS as all DNS lookups of A record(s) gave a 'no such host' response
HELO-DNS-NONE: Forgery : SPAM - Forgery or Senders mail server is very badly run - as the name in the HELO/EHLO does not exist
HELO-SPF-SOFTFAIL: Forgery : Forgery or Sender SPF is very badly run or still in test mode - can verify helo/ehlo by SPF but result claims this host is a forgery {MAYBE} - simply put softfail should never be needed in a helo as the admin should KNOW the ip's of his machines, or possibly is not helo'ing as the machine-role-name but helo'ing as the mail-domain through ignorance, either way no reason to trust the admin to run a clean house
HELO-SPF-NEUTRAL: Forgery : Forgery or Sender SPF is very badly run or still in test mode - can verify helo/ehlo by SPF but result claims this host is possibly a forgery - simply put neutral should never be needed in a helo as the admin should KNOW the ip's of his machines, or possibly is not helo'ing as the machine-role-name but helo'ing as the mail-domain through ignorance, either way no reason to trust the admin to run a clean house

warnings beside header X-AD-RPFS-WARN-2:

these are errors considered as severe than those in the BLOC and WARN catagories above but automatically detectable to our systems as possibly due to temporary DNS problems, though many spam senders use these 'Apparently' temporary problems to mask their invalidity.

These failures are still due to bad maintenance of DNS on the sending systems side so rejecting on these is possible as a LARTing tool if you don't mind loosing e-mail

As help you can point them at my rough guide to setting up Mailservers to be valid-looking

IP-DNS-PTR-DEFER: Bot-Spoor / Forgery / DNS-faulty : no DNS PTR record found thus host should not be considered part of the internet and has a sloppy admin, sender_hostst_ip_address has no RDNSbut as all DNS lookups for PTR record(s) gave a 'defer'/'try later' response problem might just be a server temporarilly down
IP-DNS-PTR-A-DEFER: Bot-Spoor / Forgery / DNS-faulty : possibly forged DNS PTR record or sloppy admin or server down, sender_host_ip_address has forged RDNS but as all DNS lookups of A record(s) gave a 'defer'/'try later' response problem might just be a server temporarilly down
IP-DNS-PTR-A-FAIL-DEFER: Bot-Spoor / Forgery / DNS-faulty : forged DNS PTR record or incredibly sloppy admin or server down, sender_host_ip_address has forged RDNS as all DNS lookups of PTR record(s) suceeded and provided name(s), but not all lookups of the returned name(s) succeeded, none of those IP's matched to even the same network as this sender_host_ip_address but at least one DNS lookups of A record(s) gave a 'defer'/'try later' response problem might just be a server temporarilly down
HELO-DNS-DEFER: possibly forged HELO/EHLO name but cannot verify as DNS lookups of A record gave a 'defer'/'try later' response problem might just be a server temporarilly down
HELO-SPF-TEMPERROR: Forgery / DNS-faulty : Sender SPF is poor - or forged helo - not checkable due to temporary condition as recieved a 'defer'/'try later' response problem might just be a server temporarilly down
HELO-CSA-DEFER: Forgery / DNS-faulty : Sender CSA is poor - or forged helo - not checkable due to temporary condition as recieved a 'defer'/'try later' response problem might just be a server temporarilly down

warnings beside header X-AD-RPFS-WARN-1:

IP-CC-XX/NONE-SPAMMY: Distrust : XX == the country of sender_host_ip_address AND the country in a country/ip-block with high spam/low-zero mail volume OR NONE == Unregistered IP Thus Likely SPAM
list currently NONE AE AR BA BE BF BO BR BS BY CH CI CL CO CN DK DO EE GR HK HN HR HU ID IL IN JO KH KR LK LT LV MA MK MX MY PE PH PT RO RU TH TR SG SK SN SV SY TW UA UY VN
IP-DNS-BL-dnslist_domain "dnslist_text": Distrust / Spammy : sender_host_ip_address is listed in dnslist_domain == the blacklist, dnslist_text == their explanation of the listing, ie they regard this IP as a source of spam additionally the DNSBL is regarded as occasionally wrong
SA-SCORE-x.x SA-BAR-(+++++) SA-SPAM-YES: Distrust / Spammy : Spam Assassin assigned a score of 5-10 to the body of the message thus it is likely spam

warnings beside header X-AD-RPFS-WARN-0:

these are errors with SPF that many hosts will reject the mail at the server but some of you demand to get mail from even badly configured domains via these 3rd parties, as is well known many legitimate mails fail SPF on envelope-sender {as this is not as cut and dry as SPF for HELO} as most admins configuring envelope-sender do not have any method of knowing about other hosts that may be forwarding mail for recipients onward, greeting card sites sending mail on behalf of their users etc.

As help you can point them at my rough guide to setting up Mailservers to be valid-looking

ES-SPF-HARDFAIL: Admin-Claims-Forged : Forgery or Sender SPF is very badly run or user ignoring policy - can verify envelope-sender/MAIL-FROM: by SPF but result claims this host is a forgery sender_address is NOT allowed to be used by sender_host_ip_address, ie the admin of @domain did dosn't allow user@domain to send from here some users may differ with his opinion of course
ES-SPF-TEMPERROR: Bad-Admin : Sender SPF is poor - or forged helo - not checkable due to temporary condition as recieved a 'defer'/'try later' response problem might just be a server temporarilly down
ES-DNS-BL-BMX-RFCI "$dnslist_text": Bad-Admin : sender_address_domain found in bogusmx.rfc-ignorant.org, ie domain of sender-address is so bad that itsMX records have at least one record that is completelt bogus/non-existant this is a good sign that replies will not work

warnings beside header X-AD-RPFS-DUMB-3:

these are serious errors from the catagories above moved here due to local whitelisting, ie. we know the sending systems are valid despite the admins choosing to configure them badly so they appear invalid

These failures are still due to bad administration on the sending systems side so rejecting on these is possible as a LARTing tool if you don't mind loosing e-mail

As help you can point them at my rough guide to setting up Mailservers to be valid-looking

All from BLOC-3

with additional "Excuse=xxxxx" added

From BLOC-0

IP-DNS-PTR-A-FAIL Excuse=xxx.xxx.xxx.xxx-is-name-comment: Forgery : forged DNS PTR record or incredibly sloppy admin, sender_host_ip_address has forged RDNS as all DNS lookups of PTR record(s) suceeded and provided name(s), and all lookups of the returned name(s) succeeded, still none of those IP's matched to even the same network as this sender_host_ip_address thus attempted forgery of the PTR record for this IP proven
HELO-DNS-FAIL: Forgery : likely forgery or very sloppy admin - can NOT verify helo/ehlo with DNS sender_helo_name is NOT sender_host_ip_address, and not a "little off" its nowhere near, not even in the same Class C, as that would give HELO-DNS-NEAR

From WARN-3

IP-DNS-PTR-NONE Excuse=xxx.xxx.xxx.xxx-is-name-comment: Bot-Spoor / Forgery : no DNS PTR record thus host should not be considered part of the internet and sloppy admin, sender_hostst_ip_address has no RDNS as all DNS lookups of PTR record(s) gave a 'no such ip' response
IP-DNS-PTR-A-NONE Excuse=xxx.xxx.xxx.xxx-is-name-comment: Bot-Spoor / Forgery : possibly forged DNS PTR record or sloppy admin, sender_host_ip_address has forged RDNS as all DNS lookups of A record(s) gave a 'no such host' response
HELO-DNS-NONE: Forgery : SPAM - Forgery or Senders mail server is very badly run - as the name in the HELO/EHLO does not exist

warnings beside header X-AD-RPFS-DUMB-2:

these are errors considered as severe than those in the BLOC and WARN catagories above but automatically detectable to our systems as admin mal-education or mis-configuration instead of forgery, and many 'legit' servers fail these tests

These failures are still due to bad administration on the sending systems side so rejecting on these is possible as a LARTing tool if you don't mind loosing e-mail

As help you can point them at my rough guide to setting up Mailservers to be valid-looking

IP-DNS-PTR-A-NEAR: possibly forged DNS PTR record but more likely sloppy admin, sender_host_ip_address has broken RDNS as all DNS lookups of PTR record(s) suceeded and provided name(s), and all lookups of the returned name(s) succeeded, but those ip's Matched the same network but not identical to this sender_host_ip_address it seems likely the server has been moved and the records left unfixed by a sloppy admin
IP-DNS-PTR-A-NEAR-DEFER: possibly forged DNS PTR record but more likely sloppy admin or server down, sender_host_ip_address has broken RDNS as above but additionally at least one DNS lookups of A record(s) gave a 'defer'/'try later' response problem might just be a server temporarilly down
PTR-SPF-NONE: likely sloppy admin - Sender SPF is not well run - if malware on this ip looking up its own name, connected outbound, it will not be blocked by spf, shows a badly run system
PTR-SPF-PASS: likely sloppy admin - Sender SPF is not at all well run - if malware on this ip looking up its own name, connected outbound it will be positivly verified by spf, shows a very badly run system
HELO-CHECK-NA-PASS: Lart - Sender host is not well run - can verify helo/ehlo without DNS or SPF sender_helo_name is sender_host_ip_address lierally - but Sender host SHOULD use dns names in modern internet
HELO-DNS-WRONG: FAIL - IDIOCY - very sloppy admin - can NOT verify helo/ehlo with DNS sender_helo_name is NOT sender_host_ip_address, and not a "little off" its nowhere near, not even in the same Class C, as that would give HELO-DNS-NEAR, but likely the admin has configured mailserver to helo/ehlo with the email domain instead of the mailservers name, thus dumb but not forgery, {we put it in wrong not FAIL if the ip has FQDNS and the helo is a substring of the right side of the FQDNS-name}
HELO-DNS-NEAR: possibly forged HELO/EHLO but more likely sloppy admin, as the ip address given when looking up the HELO name Matched the same network but not identical to this sender_host_ip_address it seems likely the server has been moved and the records left unfixed by a sloppy admin
HELO-SPF-PERMERROR: Sender SPF is poor - not checkable due to synax error, the SPF record exists but makes no sense due to admin typo
ES-SPF-PERMERROR: Sender SPF is poor - not checkable due to synax error, the SPF record exists but makes no sense due to admin typo
ES-DNS-BL-NPM-RFCI "$dnslist_text": postmaster@sender_address_domain refuses mail [illegal] {thus listed in a black list at postmaster.rfc-ignorant.org}
ES-DNS-BL-NAB-RFCI "$dnslist_text": abuse@sender_address_domain refuses mail [illegal] {thus listed in a black list at abuse.rfc-ignorant.org}
ES-DNS-BL-DSN-RFCI "$dnslist_text": sender_address_domain refuses bounces [illegal] {thus listed in a black list at dsn.rfc-ignorant.org

warnings beside header X-AD-RPFS-DUMB-1:

these are errors considered less severe than those above, few reject based on these errors, and many 'legit' servers fail these tests

These failures are still due to bad administration on the sending systems side so rejecting on these is possible as a LARTing tool if you don't mind loosing e-mail

As help you can point them at my rough guide to setting up Mailservers to be valid-looking

HELO-SPF-OTHER: Lart - Sender SPF is poor - forgery of this hostname by others is undetectable due unknown error in SPF result
ES-SPF-SOFTFAIL: SPAM - Forgery or Sender SPF is very badly run or still in test mode - can verify envelope-sender/MAIL-FROM: by SPF but result claims this host is possibly a forgery {but might not be so don't bin please} - simply put softfail is used when he wishes to have mail sent via his systems pass but not block users from using their own, yes still encourage them to use his by not using neutral
ES-SPF-OTHER: Lart - Sender SPF is poor - forgery of this envelope-sender/MAIL-FROM: by others is undetectable due unknown error in SPF result
SA-SCORE-x.x SA-BAR-(++): Spam Assassin assigned a score of 1-5 to the body of the message thus it is possibly spam

warnings beside header X-AD-RPFS-DUMB-0:

these are NOT errors or test failures rather signs of lazy / uncaring admin policy, few reject based on these test results, and many 'legit' servers have these results

These results are still due to lazy administration on the sending systems side so rejecting on these is possible as a LARTing tool if you don't mind loosing e-mail

As help you can point them at my rough guide to setting up Mailservers to be valid-looking

HELO-SPF-NONE: Lart - Sender SPF is poor - forgery of this hostname by others is undetectable due to sloppy SPF admin - cannot verify helo/ehlo by SPF sender_helo_name has no SPF record, this is such a simple forgery avoidance system it is plain stupid not to set it up, also unlike envelope-sender SPF records must merely contain "v=spf1 A -all" also unlike envelope-sender SPF records should always be terminated -all
HELO-CSA-NONE: Lart - Sender CSA is poor - forgery of this hostname by others is undetectable due to sloppy CSA admin - cannot verify helo/ehlo by CSA sender_helo_name has no CSA record, this unfortunatly powerfull anti-forgery system is regarded as abandoned, but still worth setting up for bonus point
ES-SPF-NONE: Lart - Sender SPF is poor - forgery of this envelope-sender/MAIL-FROM: by others is undetectable due to sloppy SPF admin - cannot verify helo/ehlo by SPF sender_helo_name has no SPF record, setting up envelope-sender SPF badly breaks many forwarders and sites that send mail on users behalf so reccomend only ending SPF terminated with ~all or ?all {as this will still improve the rank of mail sent via your own servers} never terminate with -all unless you have draconian control over all that domains users {such as domains with strict [contract-controlled] usage policies or ones used by automated senders only}

Information beside header X-AD-RPFS-INFO-0:

IP-DNS-PTR-A-PASS: verifiable identity found for sender_host_ip_address, sending host has FQRDNS
IP-CC=XX: XX == the country of sender_host AND country not large spam source OR if it is this IP is a known verified legit sender
IP-MANUAL-WL-XXXXXX: sender_host_ip_address is manually Whitelisted by local administrator for reason XXXXXX
IP-DNS-WL-dnslist_domain "dnslist_text": sender_host_ip_address is listed in dnslist_domain == the whitelist, dnslist_text == their explanation of the listing, ie they regard this IP as trustable source of mail additionally the DNSBL is regarded as seldom wrong
IP-DNS-WL-DNSWL-X "dnslist_text": Listed in dnswl.org whitelist X=3 very trusted for no spam {no content checking needed -100 from spam-score} X=2 trusted for little spam {some content checking -10 from spam-score} X=1 trusted for limited spam {content checking needed {-1 from spam-score} X=0 Legit mailer but likely some spam too {think hotmail, gmail, so content filter as usual, just no ip filtering}
HELO-DNS-PASS HELO=sender_helo_name: Sender DNS is properly run - can verify helo/ehlo by DNS
ES-SPF-NEUTRAL: Sender SPF exists but sender dosn't restrict where envelope-sender/MAIL-FROM: address is allowed from
SA-SCORE-x.x SA-BAR-(/): Spam Assassin assigned a score of 1 or less to the body of the message thus it is unlikely to be spam

these are informational headers only, recording tests passed thus far livejournal is the only sending system only generating good and info headers

Information beside header X-AD-RPFS-GOOD-0:

HELO-DNS-GOOD IP=sender_host_ip_address HELO=FQDNS=sender_helo_name: Sender DNS is properly run - can verify helo/ehlo by DNS additionally, verifiable identity found for sender_host_ip_address, sending host has FQRDNS
HELO-SPF-PASS: Trust - Sender SPF is well run - can verify helo/ehlo by SPF
PTR-SPF-GOOD: Trust - Sender SPF is well run - if helo != ptr, malware looking up its own name will be blocked by spf, shows a well run system
ES-SPF-PASS: Trust - Sender SPF is well run - can verify envelope-sender/MAIL-FROM: address is allowed from this sender_host_ip_address
SA-SCORE--x.x SA-BAR-(-): Spam Assassin assigned a score of 0 or less to the body of the message thus it is very unlikely to be spam

these are informational headers only, recording tests passed but ones so uncommonly passed as to imply trust to the sender administration being spam-aware

Information beside header X-AD-RPFS-GOOD-1:

HELO-DNS-GOLD IP=sender_host_ip_address HELO=sender_helo_name FQDNS=sender_ptr_name DOMAIN=sender_common_name: Sender DNS is perfectly run - can verify helo/ehlo by DNS additionally, verifiable identity found for sender_host_ip_address, sending host has FQRDNS and host is using unique name for both identities to ensure malware on the host or network cannot reasonably determine a valid helo to use