[Modus] Spam getting through

[ISOC Network Operations]

All my Webmail stuff says from isoc.net NOT from 65.90.81.60   Received: from isoc.net (unverified [127.0.0.1]) by mail.isoc.net  (Vircom SMTPRS 3.0.277) with ESMTP id <[EMAIL PROTECTED]> for <[EMAIL PROTECTED]>;   John -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Drew Salmon Sent: Wednesday, December 17, 2003 3:54 PM To: [EMAIL PROTECTED] Subject: [Modus] Spam getting through   What if a webmail user sends email to another user on that server?   Drew   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of ISOC Network Operations Sent: Thursday, December 18, 2003 10:13 AM To: [EMAIL PROTECTED] Subject: [Modus] Spam getting through   The key to stopping some of this new spam is fairly easy.   Here is what I have seen with a lot of it   Received: from mailin-1.isoc.net (unverified [65.90.81.50]) by mail.isoc.net(Vircom SMTPRS 3.0.277) with ESMTP id <[EMAIL PROTECTED]> for   <[EMAIL PROTECTED]>;Wed, 17 Dec 2003 10:56:14 -0500 Received: from 65.90.81.50 ([212.14.144.94])by mailin-1.isoc.net (8.11.6/8.11.6) with SMTP id hBHFjLS09135for <[EMAIL PROTECTED]>; Wed, 17 Dec 2003   10:45:24 -0500   In my setup I have relays before Modus, as you can see they are spoofing the FROM to the IP of my relay that they are sending the spam too. (highlighted in red)   I added a simple filter that looks like this:   if header :contains ["Received"]   "from 65.90.81.50"         { discard; stop; }   I would think your seeing similar tactics except they are delivering directly to your modus server but the FROM is probably spoofed as your servers IP address   So if you replace the 65.90.81.50 with the IP address of your modus server you should stop lots of nasties.   And since there is no reason for your modus sever to send mail to itself nor would it identify itself to itself by is IP address you should not get any false positives   John