One user on my server has attracted the attention of a spammer who seems
to use a very particular pattern for their sporged 'From' addresses. The
relevant lines in the log look like:
spamdyke[14011]: ALLOWED from: spamtopic-user=mydomain....@spamdomain.com
to: u...@mydomain.com origin_ip ...
'spamdomain.com' and 'spamtopic' change continuously, so I can't block on
those. However, the pattern of what I take to be the envelope sender can
always be captured with:
[a-z]+-user=mydomain.com@[a-z-]+\.[a-z]{2,}
I believe that no legitimate message should ever match that pattern.
I don't have any samples of the spammy messages themselves, which are
forwarded offsite (this is why I want to kill them: they're forwarded to a
Gmail address, and Gmail gets cranky if you send it too much spam). So I
don't know if that same bogus address is also used in the 'From' header.
I know that header blacklists support wildcards; I don't think that sender
blacklists do. But I suspect that the envelope sender isn't counted as a
'header'.
Is there a way I can use spamdyke to filter these messages?
Thanks in advance for any tips or suggestions.
Angus
_______________________________________________
spamdyke-users mailing list
spamdyke-users@spamdyke.org
http://www.spamdyke.org/mailman/listinfo/spamdyke-users
