[Mimedefang] New spammer trick?

Jim McCullars jim at info.uah.edu
Tue Nov 25 12:52:21 EST 2003

On Tue, 25 Nov 2003, dr john halewood wrote:

> >only "CLIENT.comcast.net" fails. I happy take email from comcast.net
> >provided it passes the rest of the filters.

   Has Comcast changed the way they reverse-DNS customer IPs?  I have been
blocking things like mi.comcast.net, tn.comcast.net, fl.comcast.net, etc.
Sure would be nice to catch them all with one Connect: tag in the access

>  The other thing I see a lot of is spam from faked aol.com and yahoo.com
> addresses. I can tell by looking at the headers that a message from
> blah at aol.com that's relayed via ES152093.user.veloxzone.com.br is obviously

   A few weeks ago, I decided that enough was enough and blackholed
Brazil, using a list of Class B and Class C blocks that I got from
brazil.blackholes.us.  I don't think we recruit from there, and it sure
has cut down on the spam.

> spend looking through quarantine notifications if I could simply do a check
> for something like
> if ( $Sender ~ /aol.com$/ and ($Relay !~ /aol.com$/ or $Relay !~
> /my.backup.mx$/) ) { return("REJECT","blah");}

   Careful with that $Sender check, since an address can have angle
brackets around it.  David posted a piece of code that you can look at


   David, just out of curiosity, why did you use that approach rather than
just simple regex checking?

Jim McCullars

More information about the MIMEDefang mailing list