That sounds like a job for Spamassassin AskDNS plugin -> https://spamassassin.apache.org/full/4.0.x/doc/Mail_SpamAssassin_Plugin_AskDNS.html You could query _SENDERDOMAIN_ for MX and act if the MX is in your defnied list of "bad" MX hosts. Though I'm not sure if _SENDERDOMAIN_ is Env oder Header based. My stomach sez it's Env based ;-) so one could use _AUTHORDOMAIN_ for header based check.
Cheers tobi On Fri, 2025-11-07 at 08:04 +0100, Benoît Panizzon wrote: > Hi Assassins > > I noticed a increase of scam mails expecting the victim to reply and > disclose personal data, which originate from daily changing domain > names and sending ip addresses (probably a botnet). > > To name those received this week: > > gutter-install-info.site > sd-st.com > auto-repairhelp.xyz > > common to those domains is the MX used: > > mx1.privateemail.com > mx2.privateemail.com > > operated by our good spam friend namecheap. > > Is there a way or plugin which would allow to score based on the MX > of > the sending domain? > > I contacted namecheap about their system being abused - but as usual > I > got stuck at the 'please log in to your account to open a case - oh, > you > are not a customer - sorry then we can't help'. > > -- > Mit freundlichen Grüssen > > -Benoît Panizzon- @ HomeOffice und normal erreichbar
