Mike Wallace wrote on Wed, 13 Jan 2010 14:39:13 -0500: > I do this but it only works for rejecting a forged envelope. It doesn't > work if it's only a forged From header which the example shows.
Yes, it doesn't work if only the From is forged. You could compare To and >From in SA and disallow if they match. Or you could compare envelope_from (if correctly set) and From in SA and fire if they don't. I think the SMTP AUTH status may also be available in SA or you could parse that out with a header check and then fire if the mail is not from an internal source or SMTP AUTHed. But you will probably have to have some whitelisting for instance for mailing lists, and other caveats. Basically, I think you can use this only as a temporary measure if you get a lot of this spam to a specific domain. Not as a global solution. SPF in SA might be suited for that. Kai -- Get your web at Conactive Internet Services: http://www.conactive.com
