Kim,
Declude's MAILFROM variable matches the Mail From that is given in the SMTP envelope and not necessarily the address contained in the From header. All of the permutations that you gave are likely to have a Mail From/MAILFROM of <>. So the correct format of your filter line would be as follows:
MAILFROM 0 CONTAINS <>
Keep in mind that if you indiscriminately block this address, you will also be blocking legitimate NDR's. Unfortunately there is no easy answer to the problem.
On my system, I 'combo' the null sender address with things that are capable of recording spam hits on content and I add a bunch of extra points when found. Sniffer is an excellent tool for this. Most of these Joe-Jobs are being sent to random addresses that won't correspond to an account, but there appears to be a spammer that is now using real addresses repeatedly, resulting in a prolonged deluge of NDR's from spam that goes to a specific account. Because not all NDR's will return the original content, it is impossible to block all of these, and as a result the only possible solution is to block all NDR's for those specific accounts.
For now, the strategy of specifying the accounts to block NDR's is enough on my system, but short of that, there is no solution that would otherwise maintain the ability to legitimately bounce messages.
Someone needs to create a new RFC for properly bouncing E-mail with the full original content (unless it is due to excessive size).
Matt
Kim Premuda wrote:
We are receiving thousands of NDR messaages daily due to some spammer forging his message headers with our mail server name and IP address, 'ns3.fastwave.net' and '[207.212.80.137]' (below - note, it is not an IMail header):
Received: (from [EMAIL PROTECTED]) by mailgate3.nec.co.jp (8.11.7/3.7W-MAILGATE-NEC) id iABBF0N18133 for [EMAIL PROTECTED]; Thu, 11 Nov 2004 20:15:00 +0900 (JST) Received: from no-wucking-furries.com ([211.223.136.240]) by TYO205.gate.nec.co.jp (8.11.7/3.7W01080315) with SMTP id iABBEtF01977 for <[EMAIL PROTECTED]>; Thu, 11 Nov 2004 20:14:56 +0900 (JST) Received: from fastwave.net (ns3.fastwave.net [207.212.80.137]) by no-wucking-furries.com (Postfix) with ESMTP id D2C16DA045 for <[EMAIL PROTECTED]>; Thu, 11 Nov 2004 05:13:08 -0600
Our customers who are targeted to receive the NDRs are complaining, and my first attempt at writing a JunkMail filter to (temporarily, at least) trap these NDRs has failed (it doesn't seem to be working). I want to trap on the 'From:' line, since that seems to be the most commom element in all the NDRs:
From: Mail Delivery Subsystem <[EMAIL PROTECTED]> From: [EMAIL PROTECTED] (Mail Delivery System) From: Mail Administrator <[EMAIL PROTECTED]> From: [EMAIL PROTECTED] etc.
So, I created a filter called JOEJOBNDR that contains the following:
MAILFROM 0 CONTAINS MAILER-DAEMON MAILFROM 0 CONTAINS postmaster MAILFROM 0 CONTAINS Barracuda Spam Firewall MAILFROM 0 CONTAINS mailmaster MAILFROM 0 CONTAINS automated-response
with the 'global.cfg' and '$default$.junkmail' files containing (respectively):
JOEJOBNDR filter C:\IMail\Declude\Filters\JoeJob.txt x 25 0
JOEJOBNDR WARN
Can someone tell me why the filter is not working? Also, I am open to any other methods or suggestions for getting the job done.
Thanks in advance,
Kim Premuda FastWave San Diego, CA
-- Kim W. Premuda FastWave Internet Services San Diego, CA
-- --- [This E-mail scanned for viruses by Declude Virus]
--- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
-- ===================================================== MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =====================================================
--- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
