I was running a whitelist on our local domain for a long time but overcoming whitelisted spam became too much of a chore. So I removed the whitelist entry and replaced with a header check on Received to verify it came from our internal machines, then assigned it -50. Then I slap a 5.1 on anything with our domain in the from field. So far it's working beautifully. Obviously only works in an enclosed system like mine with one way in/out for mail.
-----Original Message----- From: Steve Thomas [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 25, 2003 12:40 PM To: Tony Bunce Cc: [EMAIL PROTECTED] Subject: Re: [SAtalk] Ideas On Tue, Nov 25, 2003 at 01:22:51PM -0500, Tony Bunce is rumored to have said: > > I have been seeing lots of spam like this getting through recently > > Anyone have any ideas how to reduce this type of spam from getting > through? I noticed that this guy's using our domain name as the argument to the HELO command during the SMTP transaction. So if the address he's spamming is [EMAIL PROTECTED], his ratware used "HELO example.com". None of our servers use just our domain name (they all use their fully qualified hostnames), so I added a custom rule which looked for "helo=example.com" in the Received: header and scored it at 200 points to overcome his using a whitelisted From: address (we've whitelisted [EMAIL PROTECTED]). Works like a charm. ------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ _______________________________________________ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
