[Mimedefang] New spammer trick?
Jim McCullars
jim at info.uah.edu
Tue Nov 25 12:52:21 EST 2003
On Tue, 25 Nov 2003, dr john halewood wrote:
> >only "CLIENT.comcast.net" fails. I happy take email from comcast.net
> >provided it passes the rest of the filters.
Has Comcast changed the way they reverse-DNS customer IPs? I have been
blocking things like mi.comcast.net, tn.comcast.net, fl.comcast.net, etc.
Sure would be nice to catch them all with one Connect: tag in the access
db.
> The other thing I see a lot of is spam from faked aol.com and yahoo.com
> addresses. I can tell by looking at the headers that a message from
> blah at aol.com that's relayed via ES152093.user.veloxzone.com.br is obviously
A few weeks ago, I decided that enough was enough and blackholed
Brazil, using a list of Class B and Class C blocks that I got from
brazil.blackholes.us. I don't think we recruit from there, and it sure
has cut down on the spam.
> spend looking through quarantine notifications if I could simply do a check
> for something like
> if ( $Sender ~ /aol.com$/ and ($Relay !~ /aol.com$/ or $Relay !~
> /my.backup.mx$/) ) { return("REJECT","blah");}
Careful with that $Sender check, since an address can have angle
brackets around it. David posted a piece of code that you can look at
here:
http://lists.roaringpenguin.com/pipermail/mimedefang/2002-November/012169.html
David, just out of curiosity, why did you use that approach rather than
just simple regex checking?
Jim McCullars
More information about the MIMEDefang
mailing list