We are receiving thousands of NDR messaages daily due to some spammer forging 
his message headers with our mail server name and IP address, 
'ns3.fastwave.net' and '[207.212.80.137]' (below - note, it is not an IMail 
header):

   Received: (from [EMAIL PROTECTED]) by mailgate3.nec.co.jp 
(8.11.7/3.7W-MAILGATE-NEC)
        id iABBF0N18133 for [EMAIL PROTECTED]; Thu, 11 Nov 2004 20:15:00 +0900 
(JST)
   Received: from no-wucking-furries.com ([211.223.136.240])
        by TYO205.gate.nec.co.jp (8.11.7/3.7W01080315) with SMTP id iABBEtF01977
        for <[EMAIL PROTECTED]>; Thu, 11 Nov 2004 20:14:56 +0900 (JST)
   Received: from fastwave.net (ns3.fastwave.net [207.212.80.137])
        by no-wucking-furries.com (Postfix) with ESMTP id D2C16DA045
        for <[EMAIL PROTECTED]>; Thu, 11 Nov 2004 05:13:08 -0600


Our customers who are targeted to receive the NDRs are complaining, and my 
first attempt at writing a JunkMail filter to (temporarily, at least) trap 
these NDRs has failed (it doesn't seem to be working). I want to trap on the 
'From:' line, since that seems to be the most commom element in all the NDRs:

   From: Mail Delivery Subsystem <[EMAIL PROTECTED]>
   From: [EMAIL PROTECTED] (Mail Delivery System)
   From: Mail Administrator <[EMAIL PROTECTED]>
   From: [EMAIL PROTECTED]
   etc.

So, I created a filter called JOEJOBNDR that contains the following:

   MAILFROM     0       CONTAINS        MAILER-DAEMON
   MAILFROM     0       CONTAINS        postmaster
   MAILFROM     0       CONTAINS        Barracuda Spam Firewall
   MAILFROM     0       CONTAINS        mailmaster
   MAILFROM     0       CONTAINS        automated-response

with the 'global.cfg' and '$default$.junkmail' files containing (respectively):

   JOEJOBNDR  filter  C:\IMail\Declude\Filters\JoeJob.txt  x  25  0

   JOEJOBNDR  WARN

Can someone tell me why the filter is not working? Also, I am open to any other 
methods or suggestions for getting the job done.

Thanks in advance,

Kim Premuda
FastWave
San Diego, CA


--
Kim W. Premuda
FastWave Internet Services
San Diego, CA

--
---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Reply via email to