I just got a similar report from one of my users. And it DID fail various tests that would have triggered BOUNCE if I didn't have my local server and domain WHITELISTed.
I'm not sure how to proceed. If I take my own server and domain out of the whitelist and these messages come through, my user is going to get the BOUNCE message since her email address was in the SMTP envelope as the FROM address. I would prefer this to NOT happen. Is there any way around this? Is it possible to either set the action to HOLD instead of BOUNCE only if the sender's address is local? For our users' comfort level I prefer to continue to use the BOUNCE action. My users feel better about the filtering if they know any erroneously caught email will result in the sender being notified that their message was not delivered rather than going into the bit bucket or held indefinitely. Any other ideas I'm missing about how to filter the messages with the local FROM address and NOT send them BOUNCE messages if they fail? BTW-This is in academic faculty/staff setting so the risk of my users really sending spam is near 0%. This is why I whitelist local addresses. Thanks! --Todd. ----- Original Message ----- From: "R. Scott Perry" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, June 17, 2002 7:16 PM Subject: Re: [Declude.JunkMail] Spam from 'myself' > > >My boss received this spam, which shows FROM as the alias to his address. > >Are spammers doing something similar to viruses and grabbing locally held > >addresses? Is this a fluke? Is it a way for spam to get through certain > >filters? Oddly enough, the message did not fail any spam tests but that's > >a secondary issue here. > > > >Any explaination for the FROM? > > That is something that some spammers do. Typically what happens is that > they set the From: header to one of the 20-or-so E-mail addresses in the > batch that they are sending to, so one out of the 20 will see their address > in the From: header, and the other 19 will see an address that may be > similar to theirs (or not). It does increase the chances that the E-mail > will be delivered, as people sometimes whitelist mail from users on their > domain. > > >Received: from $domain [203.149.198.189] by mailhost.bookmans.com > >(SMTPD32-6.04) id AA1CF4E50064; Sat, 15 Jun 2002 12:48:44 -0700 > > Note that 203.149.198.189 is listed in SPAMCOP and DSBL (and a couple others). > -Scott > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". You can E-mail > [EMAIL PROTECTED] for assistance. You can visit our web > site at http://www.declude.com . > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
