Hi All, My server CentOS 4, Sendmail, MailScanner (SA & ClamAV) is being buried by spoofed emails that are bounced back to my domain by the recipient's servers. Virtually all these emails are being sent from a zombie at a single IP.
i.e.: All the messages contain the following line somewhere within: Received: from d04m-89-83-98-193.d4.club-internet.fr ([89.83.98.193]) I can't figure out how to mark any messages that originally sourced from that IP so that that can be dropped by Procmail (that approach would appears to be my only hope, as junk is arriving faster than my mail client can pull it off the server. I have tried to write a rule that would mark any message with that particular IP, but nothing seems to work. An example that doesn't work (but does --lint just fine) is: header ANNOYING_SPAMMER Received =~ /89\-83\-98\-193/ describe ANNOYING_SPAMMER Mark mail touched by specific IP as spam score ANNOYING_SPAMMER 15 Does SA only scan the most recent Received Header line? If so, the "Header - Received" syntax wouldn't work because the bad IP is in the original Received line. In case that was the problem, I also tried the Rawbody operator to no avail. Note that other than this issue, SA appears to be doing everything else just fine. So I am desperate and would be grateful for any suggestions. For reference, here are my full procmailrc and local.cf files for reference. /etc/procmailrc ----------------- DROPPRIVS=yes :0fw * < 256000 | /usr/bin/spamc -f :0 * ^X-Spam-Level: \*\*\*\*\*\*\*\*\*\*\*\*\*\*\* /dev/null ---------------- /etc/mail/spamassassin/local.cf ----------------- # Change the subject of suspected spam rewrite_header subject *****SPAM***** # Encapsulate spam in an attachment (0=no, 1=yes, 2=safe) report_safe 0 # Enable the Bayes system use_bayes 1 # Enable Bayes auto-learning bayes_auto_learn 1 # Enable or disable network checks skip_rbl_checks 0 use_razor2 1 #use_dcc 1 use_pyzor 1 header ANNOYING_SPAMMER Received =~ /89\-83\-98\-193/ describe ANNOYING_SPAMMER Mark mail touched by specific IP as spam score ANNOYING_SPAMMER 15 --------------- -- View this message in context: http://www.nabble.com/Being-Buried-In-Returned-Email---Need-To-Mark-Certain-IPs-tp18181167p18181167.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.