If you look at the envelope sender, these are usually <>. MAILFROM 1 IS <>
Of course, you'll be killing off legit bounces too... Below is a link to a discussion I had where my e-mail address was being Joe-jobbed. Looking at the e-mail's, they fake a from address similiar to "Heavenly Helper" [EMAIL PROTECTED] So I use a filter similiar to the: ALLRECIPS END NOTCONTAINS sfisher@ MINWEIGHTTOFAIL 1 BODY END CONTAINS Scott Fisher BODY 1 CONTAINS a" [EMAIL PROTECTED] BODY 1 CONTAINS b" [EMAIL PROTECTED] and so on to z"... I still get out of office, over quota and challenge and response type bounces. But I've cut out 90-95% without chopping out legit bounces. Below is a link to a discussion I had where my e-mail address was being Joe-jobbed. http://www.mail-archive.com/[email protected]/msg21907.html ----- Original Message ----- From: "Kim Premuda" <[EMAIL PROTECTED]> To: "Declude JunkMail Forum" <[EMAIL PROTECTED]> Sent: Thursday, November 11, 2004 9:38 AM Subject: [Declude.JunkMail] Need NDR Filter Help > We are receiving thousands of NDR messaages daily due to some spammer forging his message headers with our mail server name and IP address, 'ns3.fastwave.net' and '[207.212.80.137]' (below - note, it is not an IMail header): > > Received: (from [EMAIL PROTECTED]) by mailgate3.nec.co.jp (8.11.7/3.7W-MAILGATE-NEC) > id iABBF0N18133 for [EMAIL PROTECTED]; Thu, 11 Nov 2004 20:15:00 +0900 (JST) > Received: from no-wucking-furries.com ([211.223.136.240]) > by TYO205.gate.nec.co.jp (8.11.7/3.7W01080315) with SMTP id iABBEtF01977 > for <[EMAIL PROTECTED]>; Thu, 11 Nov 2004 20:14:56 +0900 (JST) > Received: from fastwave.net (ns3.fastwave.net [207.212.80.137]) > by no-wucking-furries.com (Postfix) with ESMTP id D2C16DA045 > for <[EMAIL PROTECTED]>; Thu, 11 Nov 2004 05:13:08 -0600 > > > Our customers who are targeted to receive the NDRs are complaining, and my first attempt at writing a JunkMail filter to (temporarily, at least) trap these NDRs has failed (it doesn't seem to be working). I want to trap on the 'From:' line, since that seems to be the most commom element in all the NDRs: > > From: Mail Delivery Subsystem <[EMAIL PROTECTED]> > From: [EMAIL PROTECTED] (Mail Delivery System) > From: Mail Administrator <[EMAIL PROTECTED]> > From: [EMAIL PROTECTED] > etc. > > So, I created a filter called JOEJOBNDR that contains the following: > > MAILFROM 0 CONTAINS MAILER-DAEMON > MAILFROM 0 CONTAINS postmaster > MAILFROM 0 CONTAINS Barracuda Spam Firewall > MAILFROM 0 CONTAINS mailmaster > MAILFROM 0 CONTAINS automated-response > > with the 'global.cfg' and '$default$.junkmail' files containing (respectively): > > JOEJOBNDR filter C:\IMail\Declude\Filters\JoeJob.txt x 25 0 > > JOEJOBNDR WARN > > Can someone tell me why the filter is not working? Also, I am open to any other methods or suggestions for getting the job done. > > Thanks in advance, > > Kim Premuda > FastWave > San Diego, CA > > > -- > Kim W. Premuda > FastWave Internet Services > San Diego, CA > > -- > --- > [This E-mail scanned for viruses by Declude Virus] > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
