[Mimedefang] New SPAM how to identify/block
Larry Starr
larrys at fullcompass.com
Wed Mar 29 13:22:55 EST 2006
I've recently seen a new, at least to me, form of spam.
The envelope header "From" is "cartridges at 00inkjets.com".
The Header "From" is rob76-5-82-245-93-7.fbx.proxad.net
When I looked at the first of these, that was reported to me, I saw the Header
"From" as "rob76-5-82-245-93-7.fbx.proxad.net at mydomain.com". This, at first,
caught me by surprise, since I have a rule, in "filter_sender" that will
reject senders that come from outside and claim to be from my domain. It
took me a bit to realize that since there was not domain, on the Header
"From" my sendmail had rewritten it, as a local address, and added my
domainname.
Several of the messages, of this sort, that I've found in the logs were scored
high enough, by spamassassin, to be blocked, but a good number flew below the
SPAM radar and were delivered untagged.
I guess my questions are:
1. Is there a mimedefang rule (or sendmail config option) that would detect
that the Envelope and Header senders differ?
2. Are there "legitimate" reasons that the these headers may differ (I don't
want to trigger false positives).
Any help or pointers would be appreciated.
Thank you,
--
Larry G. Starr - larrys at fullcompass.com or starrl at globaldialog.com
Software Engineer: Full Compass Systems LTD.
Phone: 608-831-7330 x 1347 FAX: 608-831-6330
===================================================================
There are only three sports: bullfighting, mountaineering and motor
racing, all the rest are merely games! - Ernest Hemmingway
More information about the MIMEDefang
mailing list