We are receiving thousands of NDR messaages daily due to some spammer forging
his message headers with our mail server name and IP address,
'ns3.fastwave.net' and '[207.212.80.137]' (below - note, it is not an IMail
header):
Received: (from [EMAIL PROTECTED]) by mailgate3.nec.co.jp
(8.11.7/3.7W-MAILGATE-NEC)
id iABBF0N18133 for [EMAIL PROTECTED]; Thu, 11 Nov 2004 20:15:00 +0900
(JST)
Received: from no-wucking-furries.com ([211.223.136.240])
by TYO205.gate.nec.co.jp (8.11.7/3.7W01080315) with SMTP id iABBEtF01977
for <[EMAIL PROTECTED]>; Thu, 11 Nov 2004 20:14:56 +0900 (JST)
Received: from fastwave.net (ns3.fastwave.net [207.212.80.137])
by no-wucking-furries.com (Postfix) with ESMTP id D2C16DA045
for <[EMAIL PROTECTED]>; Thu, 11 Nov 2004 05:13:08 -0600
Our customers who are targeted to receive the NDRs are complaining, and my
first attempt at writing a JunkMail filter to (temporarily, at least) trap
these NDRs has failed (it doesn't seem to be working). I want to trap on the
'From:' line, since that seems to be the most commom element in all the NDRs:
From: Mail Delivery Subsystem <[EMAIL PROTECTED]>
From: [EMAIL PROTECTED] (Mail Delivery System)
From: Mail Administrator <[EMAIL PROTECTED]>
From: [EMAIL PROTECTED]
etc.
So, I created a filter called JOEJOBNDR that contains the following:
MAILFROM 0 CONTAINS MAILER-DAEMON
MAILFROM 0 CONTAINS postmaster
MAILFROM 0 CONTAINS Barracuda Spam Firewall
MAILFROM 0 CONTAINS mailmaster
MAILFROM 0 CONTAINS automated-response
with the 'global.cfg' and '$default$.junkmail' files containing (respectively):
JOEJOBNDR filter C:\IMail\Declude\Filters\JoeJob.txt x 25 0
JOEJOBNDR WARN
Can someone tell me why the filter is not working? Also, I am open to any other
methods or suggestions for getting the job done.
Thanks in advance,
Kim Premuda
FastWave
San Diego, CA
--
Kim W. Premuda
FastWave Internet Services
San Diego, CA
--
---
[This E-mail scanned for viruses by Declude Virus]
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.