Ah... you're confusing the "sender" address with the "From" address. The sender address is what appears in the logs. The From address is what appears in the message headers and is also what you see in your mail client. The two are completely separate and spammers usually supply different (bogus) values for them.
To block both of the examples you gave, add these lines to your sender-blacklist-file (not your header-blacklist-file): @brewster.com @nice.com That should do it! More info here: http://www.spamdyke.org/documentation/README.html#REJECTING_SENDERS -- Sam Clippinger On Dec 29, 2015, at 11:54 PM, Philip Rhoades via spamdyke-users <email@example.com> wrote: > People, > > I thought of starting a new thread but the question relates to this > discussion so I thought I would revive it - see inline comments: > > > On 2015-06-21 04:57, Philip Rhoades via spamdyke-users wrote: >> Sam, >> On 2015-06-21 03:12, Sam Clippinger via spamdyke-users wrote: >>> Regex support is on the (rather lengthy) to-do list, but frankly it's >>> not a very high priority -- there's a lot of low-hanging fruit that >>> would be of much more benefit right now. Plus, since I'm not one of >>> the 10 people in the world who completely understands regexes, I doubt >>> I would actually use them myself; I'd rather add globbing support, >>> which I do understand. :) >> OK, no worries - SD is going well so far so I may not need some of the >> mechanisms that I used in my own setup - we'll see how things go. >>> spamdyke's header filter runs at connection time, as all of its >>> filters do. If a header line matches a blacklisted pattern, the entire >>> message is rejected (the sending server receives an error code, qmail >>> never sees the message). >> Right - thanks for the clarification. > > > One annoying spammer continues to get their mail through but I don't > understand why - my header-blacklist-file includes these two lines in it: > > [FR][re][op][ml]*:*brewster.com* > [FR][re][op][ml]*:*nice.com* > > but the first one works and the second one doesn't!: > > /var/log/maillog-20151230:Dec 29 17:08:43 prix spamdyke: > DENIED_HEADER_BLACKLISTED from: smartdel...@brewster.com to: > p...@pricom.com.au origin_ip: 184.108.40.206 origin_rdns: > mail-183-234.mailgun.info auth: (unknown) encryption: (none) reason: > /usr/local/bin/srejector2/spamdyke_blacklist_header.txt:11 > > /var/log/maillog-20151230:Dec 29 17:08:00 prix spamdyke: ALLOWED from: > support.a...@nice.com to: mailer-dae...@pricom.com.au origin_ip: > 220.127.116.11 origin_rdns: mailil.nice.com auth: (unknown) encryption: (none) > reason: 250_ok_1451369280_qp_15628 > > I have even saved the file in vim a couple of times and restarted qmail a > couple of times but no change in the behaviour - what could the explanation > be? > > Thanks, > > Phil. > > >>> On Jun 19, 2015, at 9:09 PM, Philip Rhoades via spamdyke-users >>> <firstname.lastname@example.org> wrote: >>>> Sam, >>>> See inline comments: >>>> On 2015-06-20 11:53, Sam Clippinger via spamdyke-users wrote: >>>>> You're correct spamdyke does not support regexes for any of its >>>>> options, but you can use a wildcard in a sender or recipient >>>>> white/blacklist file to match entire domains by prefixing the line >>>>> with an @ symbol. For example: >>>>> @example.com   >>>> Yep, saw that - is it possible to support regexes in the future? >>>>> Full documentation here: >>> http://www.spamdyke.org/documentation/README.html#REJECTING_RECIPIENTS >>>>>  >>>>>  >>>>> BUT! Be careful -- the "To" and "From" lines in the message header >>>>> are >>>>> not the same as the "sender" and "recipient". The sender and >>>>> recipient >>>>> are part of SMTP, the To and From lines are part of the message >>>>> data >>>>> and are completely unrelated. Think of it this way: when a letter >>>>> is >>>>> sent through the post office, the name on the outside of the >>>>> envelope >>>>> tells the postman which mailbox gets the envelope (or where to >>>>> send it >>>>> back to) but top of the letter inside may have a completely >>>>> unrelated >>>>> letterhead and salutation. Whenever spamdyke's >>>>> options/documentation >>>>> refer to a "sender" or a "recipient", it means the name on the >>>>> outside >>>>> of the envelope. The user never sees those values in their mail >>>>> client >>>>> unless the sender chooses to use those values in the To and From >>>>> fields. Spammers typically fake all sender/recipient/To/From >>>>> fields, >>>>> but other software does too for perfectly legitimate reasons (e.g. >>>>> mailing lists, autoresponders). >>>> Right. >>>>> If you want to block based on the To >>>>> and From lines the user sees in their mail client, you should look >>>>> at >>>>> spamdyke's header blacklist filter: >>>>> http://www.spamdyke.org/documentation/README.html#HEADERS   >>>> In that case the mail has already been accepted? When I was using >>>> the qmail-qfilter+Ruby script method - my understanding of it at >>>> least - was that my Ruby script could process the header and body of >>>> the email and exit with a particular error code if the mail was bad >>>> and this would terminate the SMTP negotiation with that error >>>> message (eg drop the mail silently). So in this case I was able to >>>> look at all the header fields as well as the mail body and do >>>> whatever I wanted before accepting the mail. >>>>> Header filtering doesn't support regexes either, but it does use >>>>> "globbing" to allow more wildcard options. >>>> Right. >>>> Thanks, >>>> Phil. >>>> On Jun 19, 2015, at 7:47 PM, Philip Rhoades via spamdyke-users >>>> <email@example.com> wrote: >>>> People, >>>> As well as using GreyLite I have done my own thing for many years >>>> with qmail-qfilter and a Ruby script (it started off as a Ruby >>>> learning exercise . . ) - anyway for my white and black lists I was >>>> able to have in the plain text files things like: >>>> ad...@phillipsfinancial.com.au >>>> administrator@(booksjournals.com (|.au)|(prix.|)pricom.com.au >>>> |qps.com.au ) >>>> adwords-noreply >>>> america.com  >>>> ecolife >>>> where if any of those particular regexes appeared in the To: or >>>> From: or whatever, they could be allowed or blocked or whatever - I >>>> am guessing that eg the recipient-blacklist-file=FILE only allows >>>> for full email addresses? >>>> Thanks, >>>> Phil. > > -- > Philip Rhoades > > PO Box 896 > Cowra NSW 2794 > Australia > E-mail: p...@pricom.com.au > _______________________________________________ > spamdyke-users mailing list > firstname.lastname@example.org > http://www.spamdyke.org/mailman/listinfo/spamdyke-users
_______________________________________________ spamdyke-users mailing list email@example.com http://www.spamdyke.org/mailman/listinfo/spamdyke-users