Here is a filter that I use that's pretty successful for me. Now I'm a company so I can penalize on things an ISP can't, so buyer beware.
The logic is to end if the body contains a reference (IP or name) to a legit email server of mine or someone who can send from my email server. So legit bounces should go through fine. Or to end if it doesn't have "Received: from" in the body (which most rejections do have). Or to end if it isn't from a postmaster (mailfrom-postmaster test). I then throw on 100 points from mailfrom-postmaster test as a minimum. (100 is subject tag, 200 hold, 300 delete). Add in weight to cancel a mxrate-whitelist result Add in moderate weight if there was a graphic/pdf Add in moderate weight for some common spammy phrases Add in heavy weight for some users who shouldn't be sending email (groups, dead users) Add in a little weight for some delivery failure terms Add in heavy weight if the body has an Xmailer header for an email client we don't use. # Combo Test to punish those that come from a Postmaster and not bounces from us? SKIPIFWEIGHT 365 # valid bounces should have this BODY END CONTAINS imail.farmprogress.com BODY END CONTAINS avsmtp.farmprogress.com BODY END CONTAINS 65.118.31.132 BODY END CONTAINS 65.118.31.140 HELO END IS oxcyon13 BODY END CONTAINS Received: from oxcyon13 BODY END NOTCONTAINS Received: from TESTSFAILED END NOTCONTAINS MAILFROM-POSTMASTER TESTSFAILED 100 CONTAINS MAILFROM-POSTMASTER # reverse white test TESTSFAILED 15 CONTAINS MXRATE-WHITE-LAST # more pain for graphics TESTSFAILED 50 CONTAINS ATTACHMENT-GRAPHIC BODY 25 CONTAINS application/pdf # commons spammy things BODY 50 CONTAINS *SPAM* BODY 50 CONTAINS * SPAM * BODY 75 CONTAINS Subject: RE: Hot Stock BODY 75 CONTAINS Subject: Drugz Shop BODY 75 CONTAINS Subject: meds Shop BODY 75 CONTAINS Subject: RE: MedHelp BODY 75 CONTAINS Subject: Online Med # shouldn't be sending so punish ALLRECIPS 100 CONTAINS [EMAIL PROTECTED] BODY 25 CONTAINS Delivery to the following recipients failed BODY 25 CONTAINS No such user BODY 25 CONTAINS too many connections BODY 25 CONTAINS Recipient unknown BODY 25 CONTAINS Message content rejected BODY 25 CONTAINS contains a virus BODY 25 CONTAINS mailfolder is over the allowed quota BODY 25 CONTAINS Message could not be delivered to mailer BODY 25 CONTAINS mailbox exceeds allowed size BODY 25 CONTAINS mail adress you entered is invalid BODY 25 CONTAINS Spam Blocked BODY 25 CONTAINS announcement-only group BODY 25 CONTAINS User unknown BODY 100 CONTAINS X-Mailer: Microsoft Outlook Express 5 BODY 50 CONTAINS X-Mailer: Microsoft Outlook Express 6 BODY 100 CONTAINS X-Mailer: The Bat! BODY 100 CONTAINS X-Mailer: Lotus Notes BODY 100 CONTAINS X-Mailer: Internet Mail Service BODY 100 CONTAINS X-Mailer: Novell GroupWise -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Stanford Sent: Thursday, September 27, 2007 8:50 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Postmaster Spoofed Returns Does anyone have any suggestions on how to stop returned email on spoofed email addresses for our domain. I was going to setup a rule but it would catch good and bad alike... Thanks, Kevin --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.