OK...I think I have an idea...tell me if this sounds like it will work...as a couple others have said, I can whitelist just my IP range and not the domain name. That will let stuff from my users to my users pass but only if it's via MY server.
And to handle the part about the BOUNCE messages going to my users when the spammer spoofed one of my addresses, I will set up an IMail rule to send those bounces to NUL since the rules only filter incoming messages. I can base it on a specific text string from one of my BOUNCE messages. Does this sound like it will work? Anything I'm missing? --Todd. ----- Original Message ----- From: "Todd Ryan" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, June 18, 2002 9:21 AM Subject: Re: [Declude.JunkMail] Spam from 'myself' > I just got a similar report from one of my users. And it DID fail various > tests that would have triggered BOUNCE if I didn't have my local server and > domain WHITELISTed. > > I'm not sure how to proceed. If I take my own server and domain out of the > whitelist and these messages come through, my user is going to get the > BOUNCE message since her email address was in the SMTP envelope as the FROM > address. I would prefer this to NOT happen. Is there any way around this? > Is it possible to either set the action to HOLD instead of BOUNCE only if > the sender's address is local? For our users' comfort level I prefer to > continue to use the BOUNCE action. My users feel better about the filtering > if they know any erroneously caught email will result in the sender being > notified that their message was not delivered rather than going into the bit > bucket or held indefinitely. > > Any other ideas I'm missing about how to filter the messages with the local > FROM address and NOT send them BOUNCE messages if they fail? > > BTW-This is in academic faculty/staff setting so the risk of my users really > sending spam is near 0%. This is why I whitelist local addresses. > > Thanks! > > --Todd. > > > > ----- Original Message ----- > From: "R. Scott Perry" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Monday, June 17, 2002 7:16 PM > Subject: Re: [Declude.JunkMail] Spam from 'myself' > > > > > > >My boss received this spam, which shows FROM as the alias to his address. > > >Are spammers doing something similar to viruses and grabbing locally held > > >addresses? Is this a fluke? Is it a way for spam to get through certain > > >filters? Oddly enough, the message did not fail any spam tests but that's > > >a secondary issue here. > > > > > >Any explaination for the FROM? > > > > That is something that some spammers do. Typically what happens is that > > they set the From: header to one of the 20-or-so E-mail addresses in the > > batch that they are sending to, so one out of the 20 will see their > address > > in the From: header, and the other 19 will see an address that may be > > similar to theirs (or not). It does increase the chances that the E-mail > > will be delivered, as people sometimes whitelist mail from users on their > > domain. > > > > >Received: from $domain [203.149.198.189] by mailhost.bookmans.com > > >(SMTPD32-6.04) id AA1CF4E50064; Sat, 15 Jun 2002 12:48:44 -0700 > > > > Note that 203.149.198.189 is listed in SPAMCOP and DSBL (and a couple > others). > > -Scott > > > > --- > > [This E-mail was scanned for viruses by Declude Virus > (http://www.declude.com)] > > > > --- > > > > This E-mail came from the Declude.JunkMail mailing list. To > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.JunkMail". You can E-mail > > [EMAIL PROTECTED] for assistance. You can visit our web > > site at http://www.declude.com . > > > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". You can E-mail > [EMAIL PROTECTED] for assistance. You can visit our web > site at http://www.declude.com . > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
