RE: [Declude.JunkMail] blocking spam faked as coming from local a ddress

[Colbeck, Andrew]

Title: Message

According to external DNS, you only have one mail host.    For starters, you can whitelist your own IP.  And if that server is the only machine of yours that is going to identify itself as wcnet.net,   HELO 20 ENDSWITH wcnet.net   should do nicely until someone called mail.newcnet.net tries to send mail to you*   And while you're at it, you can also do this:   HELO 20 CONTAINS 68.89.56.16   because I'm seeing spammers trying to get around *somebody's* filters by stuffing the destination MX address with their HELO name.   The important thing here is to know your network.  For example, if you relay mail for, say, web.wcnet.net then you would have to either whitelist that IP or 'cancel out' my first example with:   HELO -20 ENDSWITH web.wcnet.net   I do this for neatness, even if I'm whitelisting.  It makes the total weight in the declude log look right.   * p.s. Does anybody know if HELO etc matches for :       .example.org     example.org   are equivalent if the hostname is null? -----Original Message----- From: Glenn \ WCNet [mailto:[EMAIL PROTECTED] Sent: Friday, September 19, 2003 10:23 AM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] blocking spam faked as coming from local address How do I reliably block this kind of thing?  Can my own domain be added to the SpamDomains list?  I've replaced the recipient address with [local-user] in the headers below, but it was the same valid local user account on all parameters.  138.89.104.227 is not one of my IPs.   Glenn Z.     Received: from wcnet.net [138.89.104.227] by wcnet.net with ESMTP (SMTPD32-7.15) id 04542B014C; Thu, 18 Sep 2003 23:04:21 -0500 Received: from kennedy-henry [192.168.1.101] by wcnet.net with MailMXPro2(2195.5631); Fri, 19 Sep 2003 00:04:20 -0400 Message-ID: <[EMAIL PROTECTED]> From: "jenna henny" <[EMAIL PROTECTED]> To: <[local-user]@wcnet.net> Subject: Spam (10) - Don't wait for rates to climb back up Date: Fri, 19 Sep 2003 00:04:20 -0400 MIME-Version: 1.0 Content-Type: text/html; charset="ISO-8859-1" X-Priority: 3 X-Mailer: mailer Return-Path: [local-user]@wcnet.net Abuse2-Tracking: <Z2xlbm5jbXpAd2NuZXQubmV0> X-Declude-Sender: [local-user]@wcnet.net [138.89.104.227] X-Declude-Spoolname: D8045042b014c3731.SMD X-Note-In: This E-mail was scanned on MAIL1 by Declude JunkMail for evidence of spam. X-Spam-Tests-Failed-In: SPAMCOP, IPNOTINMX, SNIFFER, WEIGHT10 X-Note-In: Total spam weight of this E-mail is 13. X-Note-In: This E-mail was sent from pool-138-89-104-227.mad.east.verizon.net ([138.89.104.227]) X-Note-In: SMTP Real From: [local-user]@wcnet.net X-RCPT-TO: <[local-user]@wcnet.net> Status: R X-Mozilla-Status: 0000 X-Mozilla-Status2: 00000000 X-UIDL: 8400