Add-Edit: Routing domain
When you specify a value in the Routing domain: field, it is compared against the first "word" following the Received: from and Received: by line(s) of the email header. All other information appearing in the Received: portion of the header is ignored. A word is defined as that text which is both proceeded and followed by a space.
In the example below, the first "words" of the Received: lines are shown in red; any of these "words," if entered into the Routing Domain field of a spam filter rule, would trigger a match.
Received: from us-mozzeralla.trendmicro.com (mozart.trendmicro.com [123.12.123.12]) by us-cheddar.trendmicro.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.1960.3) id PL743RAQ; Wed, 22 Jul 1999 05:02:40 -0700
Received: from 123.12.123.12 by us-mozzeralla.trendmicro.com (InterScan E-mail VirusWall); Wed, 22 Jul 1999 05:04:08 -0800
Received: from UPIMSSMTPUSR03 - 123.12.123.12 by email.msnsm.com with Microsoft SMTPSVC; Wed, 22 Jul 1999 04:59:45 –0700
Received: from ipt - 123.12.123.12 by email.msnsm.com with Microsoft SMTPSVC; Wed, 22 Jul 1999 04:58:02 -0700
Because the Received: address is pre-pended (added to the front of the list) by each SMTP server that processes the message, these line(s) tend to be the most reliable in the message header.
Be sure not to enter the domain name of an Internet backbone, for example mci.net, in the Routing domain field.
If you will use address fragments, for example the two-letter domain names, be sure to check the Exact Match box to avoid unexpected results.
In general, identifying a spammer's true routing domain, or even a fake one, can provide solid data for constructing rules because automated bulk emailers (and humans) tend to reuse the same fake domain names time and time again.
One problem with filtering spam solely on the basis of routing domain is the phenomena of the "whack-a-mole" spammers—spammers who pop up at one ISP and unload a batch of spam, then duck down, only to pop up at another ISP to do the same thing.
See also:
Exploiting Bulk Emailer
Tracking Spammers
Example Received Fields