If you look at the envelope sender, these are usually <>.
MAILFROM 1 IS  <>

Of course, you'll be killing off legit bounces too...

Below is a link to a discussion I had where my e-mail address was being
Joe-jobbed.
Looking at the e-mail's, they fake a from address similiar to "Heavenly
Helper" [EMAIL PROTECTED]
So I use a filter similiar to the:
ALLRECIPS END NOTCONTAINS sfisher@
MINWEIGHTTOFAIL 1
BODY  END CONTAINS Scott Fisher
BODY  1 CONTAINS a" [EMAIL PROTECTED]
BODY  1 CONTAINS b" [EMAIL PROTECTED]
and so on to z"...

I still get out of office, over quota and challenge and response type
bounces. But I've cut out 90-95% without chopping out legit bounces.

Below is a link to a discussion I had where my e-mail address was being
Joe-jobbed.
http://www.mail-archive.com/[email protected]/msg21907.html


----- Original Message ----- 
From: "Kim Premuda" <[EMAIL PROTECTED]>
To: "Declude JunkMail Forum" <[EMAIL PROTECTED]>
Sent: Thursday, November 11, 2004 9:38 AM
Subject: [Declude.JunkMail] Need NDR Filter Help


> We are receiving thousands of NDR messaages daily due to some spammer
forging his message headers with our mail server name and IP address,
'ns3.fastwave.net' and '[207.212.80.137]' (below - note, it is not an IMail
header):
>
>    Received: (from [EMAIL PROTECTED]) by mailgate3.nec.co.jp
(8.11.7/3.7W-MAILGATE-NEC)
>    id iABBF0N18133 for [EMAIL PROTECTED]; Thu, 11 Nov 2004
20:15:00 +0900 (JST)
>    Received: from no-wucking-furries.com ([211.223.136.240])
> by TYO205.gate.nec.co.jp (8.11.7/3.7W01080315) with SMTP id iABBEtF01977
> for <[EMAIL PROTECTED]>; Thu, 11 Nov 2004 20:14:56 +0900 (JST)
>    Received: from fastwave.net (ns3.fastwave.net [207.212.80.137])
> by no-wucking-furries.com (Postfix) with ESMTP id D2C16DA045
> for <[EMAIL PROTECTED]>; Thu, 11 Nov 2004 05:13:08 -0600
>
>
> Our customers who are targeted to receive the NDRs are complaining, and my
first attempt at writing a JunkMail filter to (temporarily, at least) trap
these NDRs has failed (it doesn't seem to be working). I want to trap on the
'From:' line, since that seems to be the most commom element in all the
NDRs:
>
>    From: Mail Delivery Subsystem <[EMAIL PROTECTED]>
>    From: [EMAIL PROTECTED] (Mail Delivery System)
>    From: Mail Administrator <[EMAIL PROTECTED]>
>    From: [EMAIL PROTECTED]
>    etc.
>
> So, I created a filter called JOEJOBNDR that contains the following:
>
>    MAILFROM 0 CONTAINS MAILER-DAEMON
>    MAILFROM 0 CONTAINS postmaster
>    MAILFROM 0 CONTAINS Barracuda Spam Firewall
>    MAILFROM 0 CONTAINS mailmaster
>    MAILFROM 0 CONTAINS automated-response
>
> with the 'global.cfg' and '$default$.junkmail' files containing
(respectively):
>
>    JOEJOBNDR  filter  C:\IMail\Declude\Filters\JoeJob.txt  x  25  0
>
>    JOEJOBNDR  WARN
>
> Can someone tell me why the filter is not working? Also, I am open to any
other methods or suggestions for getting the job done.
>
> Thanks in advance,
>
> Kim Premuda
> FastWave
> San Diego, CA
>
>
> --
> Kim W. Premuda
> FastWave Internet Services
> San Diego, CA
>
> --
> ---
> [This E-mail scanned for viruses by Declude Virus]
>
> ---
> [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]
>
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://www.mail-archive.com.
>

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Reply via email to