[Mimedefang] New SPAM how to identify/block

Larry Starr larrys at fullcompass.com
Wed Mar 29 13:22:55 EST 2006

I've recently seen a new, at least to me, form of spam.

The envelope header "From" is "cartridges at 00inkjets.com".
The Header "From"   is rob76-5-82-245-93-7.fbx.proxad.net

When I looked at the first of these, that was reported to me, I saw the Header 
"From" as "rob76-5-82-245-93-7.fbx.proxad.net at mydomain.com".  This, at first, 
caught me by surprise, since I have a rule, in "filter_sender" that will 
reject senders that come from outside and claim to be from my domain.  It 
took me a bit to realize that since there was not domain, on the Header 
"From" my sendmail had rewritten it, as a local address, and added my 

Several of the messages, of this sort, that I've found in the logs were scored 
high enough, by spamassassin, to be blocked, but a good number flew below the 
SPAM radar and were delivered untagged.

I guess my questions are:
1.	Is there a mimedefang rule (or sendmail config option) that would detect 
that the Envelope and Header senders differ?
2.	Are there "legitimate" reasons that the these headers may differ (I don't 
want to trigger false positives).
Any help or pointers would be appreciated.

Thank you,
Larry G. Starr - larrys at fullcompass.com or starrl at globaldialog.com
Software Engineer: Full Compass Systems LTD.
Phone: 608-831-7330 x 1347  FAX: 608-831-6330
There are only three sports: bullfighting, mountaineering and motor
racing, all the rest are merely games! - Ernest Hemmingway

More information about the MIMEDefang mailing list