Spamassassin 2.54 Cobalt Raq4 w/sendmail, mailscanner, Clam antivirus
I need very badly a rule that will check for forged FROM as being a domain
on my server.. I get tons like this daily.. I saw one on someone's web site
or here on the group last week, copied it then the computer locked up before
I saved it and I can not find it again.. can someone point me in the right
direction please?
I have gone a new attack method lately.. been looking at the FROM's on these
mails only and if they are whacky or not a large ISP then they go straight
into the server's blocked list in the GUI.. it has help a great deal.. It
has become apparent to me I am making more progress like this than examining
the headers and adding the originating IP, which in many cases is one of the
major ISP's here in the US -- so I can not block those anyway. These mails
with the forged FROM's using domains on my server get scored in
the -90 -- -99 range with AWL or USER_IN_WHITELIST so I need a way to
counter attack that forging issue. Right now I have 1022 domain names & IP's
in the server's block list. I have notified every user on the server letting
them know this was the road I will be traveling at this point and they are
all cool with it.
The other problem with just the spam filter alone is AOL.. many of the users
on the cobalt only have AOL and can not POP their accounts so their mail is
auto fwd'd thru the GUI or thru a .forward. Mails fwd'd to an account off
the server thru the GUI get passed thru neither the MailScanner {Spam?} or
SA {*****SPAM*****} so go directly to AOL.. AOL now has their own filters
that bounce that stuff back to the LAST KNOWN HOP.. which is my server..
they are counting this against *ME* as dumb as that sounds.. I have spoken
directly to the postmasters at AOL on this matter and there is nothing I can
no about it except try and stop it at my end. The mails that pass to the
same or other AOL's by means of the .fwd files do get MailScanner checked
and almost every one of them that are bouncing (refused as spam) have been
marked {Spam?}. A good majority of these mails have forged FROM's as
[EMAIL PROTECTED] Again a good majority of these are coming
off major US ISP's (charter, rr.com adelphia) so I can not block these in
all good conscience..
Am I correct in the assumption that sendmail is not really looking at the
IP's just the stated FROM in the header??
I still need a means of passing every mail thru SA.. if I can get that done
then I have zero qualm about dev/nulling scores over 10 or so across the
board..
thanks
-------------------------------------------------------
This SF.Net email sponsored by: ApacheCon 2003,
16-19 November in Las Vegas. Learn firsthand the latest
developments in Apache, PHP, Perl, XML, Java, MySQL,
WebDAV, and more! http://www.apachecon.com/
_______________________________________________
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
