OK, below I have included the headers for an e-mail that one of my users forwarded to me. I have removed the username...
>From <[EMAIL PROTECTED]> Fri Feb 28 00:58:23 2003
This is one option that you can filter on -- [EMAIL PROTECTED] is the return address of the E-mail. The advantage of filtering on this is that any E-mail from this address will then get caught. The disadvantages are that the spammer can send from another address (which wouldn't get caught), and that the return address could be a legitimate user's address that the spammer used without permission (but it is unlikely that the person whose address was used would be sending you E-mail).
Received: from mdkpower.dkpower.com [211.241.219.3] by pagerover.com with ESMTP
(SMTPD32-6.06) id AA7C27540134; Fri, 28 Feb 2003 00:58:20 -0500
The primary other option is to block the E-mail based on the IP address (211.241.219.3, from the top Received: header). The advantage of this is that you will block any E-mail that the spammer sends from that IP, regardless of the return address they use. However, the disadvantage is that spammers will often use open relays, and switch from one to another fairly often (and other spammers have 100s or 1,000s of compromised computers that they can send from, each with a different IP).
You can also try setting up a filter based on other parts of the E-mail. For example, at least one of our customers has a filter file that contains the line "SUBJECT 3 ISBLANK", which would add 3 to the weight of the E-mail if the subject was blank (as is the case here).
-Scott
--- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
