RE: [Declude.JunkMail] Lost One Account - Help Please

Fri, 11 Jul 2003 09:19:55 -0700 

Make sure you DO NOT whitelist your own domain, ip address, the postmaster
or abuse email addresses.  Most of our "ignore" results for spam came when
one or more of these was whitelisted (especially postmaster or abuse -- real
mails never seem to have problems going there, but any spam that cc's the
postmaster or abuse mailboxes ends up getting whitelisted, causing huge
amounts to go thru if you don't remove those settings).

We block on HELO/EHLO with our domain name or IP and we also use the
spamdomains test to look for any email that pretends to be from "us" (our
domain name" and requires that the sending IP actually be listed with our
name (rather than whitelisting our domain). This also stopped a lot of spam
that used the HELO/EHLO or return address to pretend to be us.

So, in one filter file, we have (we hold at 15, the first two are our
address/name):

#       catch attempt to pretend to be us
HELO 15 CONTAINS staffingtech.com
HELO 15 CONTAINS 216.111.26.34
HELO 15 CONTAINS $domain
HELO  8    STARTSWITH [
REVDNS 5 ENDSWITH .in-addr.arpa
#       prevent false positives internally (usually due to
#       forwarding false positives to correct person)
REVDNS -100 CONTAINS staffingtech.com
#       mail servers with no real name
HELO  10  ENDSWITH  0
HELO  10  ENDSWITH  1
HELO  10  ENDSWITH  2
HELO  10  ENDSWITH  3
HELO  10  ENDSWITH  4
HELO  10  ENDSWITH  5
HELO  10  ENDSWITH  6
HELO  10  ENDSWITH  7
HELO  10  ENDSWITH  8
HELO  10  ENDSWITH  9
#       many spams with our name in the mailfrom also contain two asterisks,
#       never seen it in legit mail
mailfrom 15 contains **

The spamdomains filter file contains:

                staffingtech.com esper.com

amongst others (esper.com is our isp, a small local company). For most
people, you would enter only your own domain name. In the global.cfg,
comment out the two suggested lines:

#WHITELIST TODOMAIN postmaster@
#WHITELIST TODOMAIN abuse@

If you are using AUTOWHITELIST ON, make sure users do not enter
[EMAIL PROTECTED] (for your or their domain) or their own email address in the
address book or all spam comes thru (been there, done that, was hard to
find).

I personally think a whitelist problems is biting you, as we have seen that
when IGNORE was the action.

Karen Oland

---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Reply via email to