I'd also be interested in implementing a block based on address range check, so perhaps if more than 10 SPAM messages which scored over 10 were received from an address block, then the known or estimated range of SPAM senders in that block would be blacklisted using IPTables, with a daily review.
Probably not a good idea, since you don't know how big is remote network block. It might be something like /24, but it also might be something like /29. If you blindly assume it is /24, you'll get the spammer blocked (maybe, it just might be that one of your users had .forward file at remote site, and you can't know that either), but you will also penalize everybody else.
Plus, some mailing lists will happily forward spam from time to time, one popular example is Linux kernel mailing list... And there are some criminally managed lists such as Bugtraq, that don't forward spam (probably because it is moderated), but do some other stuff that might trigger things here and there. So you might just as likely end up blocking those, to delight of your users.
-- Aleksandar Milivojevic <[EMAIL PROTECTED]> Pollard Banknote Limited Systems Administrator 1499 Buffalo Place Tel: (204) 474-2323 ext 276 Winnipeg, MB R3T 1L7 _______________________________________________ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
