thadcoco wrote:
Hi All,
My server CentOS 4, Sendmail, MailScanner (SA & ClamAV) is being buried by
spoofed emails that are bounced back to my domain by the recipient's
servers. Virtually all these emails are being sent from a zombie at a single
IP.
i.e.: All the messages contain the following line somewhere within:
Received: from d04m-89-83-98-193.d4.club-internet.fr ([89.83.98.193])
I can't figure out how to mark any messages that originally sourced from
that IP so that that can be dropped by Procmail (that approach would appears
to be my only hope, as junk is arriving faster than my mail client can pull
it off the server.
I have tried to write a rule that would mark any message with that
particular IP, but nothing seems to work.
An example that doesn't work (but does --lint just fine) is:
header ANNOYING_SPAMMER Received =~ /89\-83\-98\-193/
describe ANNOYING_SPAMMER Mark mail touched by specific IP as spam
score ANNOYING_SPAMMER 15
header rules only look at headers. unless the bounce came from the said
client, they won't help.
as a general recommendation, when rules do not catch a message and you
think they should, it is nice to show a sample (full headers and body,
unaltered by your mta/mua so that we can see the original headers and
body. it's ok if your mat/mua adds headers, but not ok if it reformats
the message or remove headers... etc).
