Heimir, It's not a Sniffer-related answer but I personaly use a combination of a text filter file (looking for known geocities-links) and the IP-blacklist SORBS-DUHL (who contains dialup ip-ranges). As all my customers are connecting with SMTP-Auth or from known IP-ranges I can whitelist them. So the combination of this two filters can catch most of this stuff, as legit messages containing geocities-link shouldn't come from dial-up Ip's to my server.
Markus > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Heimir Eidskrem > Sent: Wednesday, February 15, 2006 2:53 PM > To: sniffer@sortmonster.com > Subject: [sniffer] [Fwd: Diann Helms] > > Anyway to stop this spam. > We are getting hundreds of them. > I have personally gotten 23. > > >From - Wed Feb 15 07:51:25 2006 > X-Account-Key: account3 > X-UIDL: 384485764 > X-Mozilla-Status: 0001 > X-Mozilla-Status2: 00000000 > Received: from DM [206.53.51.56] by deepspace.i360.net > (SMTPD-8.22) id A08B07E0; Wed, 15 Feb 2006 06:37:31 -0600 > Received: from gmail.com (8.8.8/8.8.8) id XAA47062; Wed, 15 > Feb 2006 06:37:38 -0600 > Message-Id: <[EMAIL PROTECTED]> > From: "Shane Redmond" <[EMAIL PROTECTED]> > To: [EMAIL PROTECTED] > Subject: Diann Helms > X-Mailer: Opera7.20/Win32 M2 build 2981 > Date: Wed, 15 Feb 2006 06:37:38 -0600 > X-RBL-Warning: NOLEGITCONTENT: No content unique to > legitimate E-mail detected. > X-RBL-Warning: IPNOTINMX: > X-RBL-Warning: REVDNS: This E-mail was sent from a MUA/MTA > 206.53.51.56 with no reverse DNS entry. > X-RBL-Warning: CMDSPACE: Space found in RCPT TO: command. > X-RBL-Warning: COUNTRYFILTER: Message failed COUNTRYFILTER > test (line 36, weight 0) > X-Declude-Sender: [EMAIL PROTECTED] [206.53.51.56] > X-Declude-Spoolname: D208b017d0000b78a.smd > X-Note: This E-mail was scanned by Declude JunkMail > (www.declude.com) for spam. > X-Spam-Tests-Failed: NOLEGITCONTENT, IPNOTINMX, REVDNS, > CMDSPACE, COUNTRYFILTER, CATCHALLMAILS [70] > X-Country-Chain: CANADA->destination > X-Note: This E-mail was sent from [No Reverse DNS] ([206.53.51.56]). > X-RCPT-TO: <[EMAIL PROTECTED]> > Status: U > X-UIDL: 384485764 > X-IMail-ThreadID: 208b017d0000b78a > > > Braxton, > > http://uk.geocities.com/proboycott45571 > > Shane Redmond > > > > > This E-Mail came from the Message Sniffer mailing list. For > information and (un)subscription instructions go to > http://www.sortmonster.com/MessageSniffer/Help/Help.html > This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html