Blocking empty To with rules

[Mike Williams]

I found out that an empty To: field is filled with MAILER-DAEMON by
sendmail.  This is used for purposes such as when an email message bounces.
This is exactly what was happening.  Some spammer decided to use a return
address of one of our domains and is sending spam to dictionary of AOL
users.  For the return address they chose about 7 names such as mail offer
newest special host webhost and tryit.  Then they appended a random number
of 5-8 digits to the end of the username.  So what we ended up with was
mail324365 at domain.com as the return address.  We use a mail gateway that
accepts all main, scans it and then delivers it to the real mail server.
Tried to block it using Local_Ruleset in Sendmail but no luck.  Finally I
had to add mail*@domain.com ect... to the blacklist and then to the Virus
Scanning and Spam Checks lists.  Then in the spam actions I listed each one
with a bounce delete action.  It is now bouncing all the mail back to AOL so
maybe they will shut this spammer down who is abusing their system but I am
not holding my breath...

Mike

-----Original Message-----
From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK]On
Behalf Of Julian Field
Sent: Friday, February 14, 2003 4:38 PM
To: MAILSCANNER at JISCMAIL.AC.UK
Subject: Re: Blocking empty To with rules


At 16:06 14/02/2003, you wrote:
>Is it possible to block a spam message where the To is empty?  We are
>getting a ton of spam from AOL and in the sendmail logfile the To is
blank.
>I wouldn't mind shutting AOL down from having access to our server but
I'm
>sure our customers would complain :)

In a ruleset you can specify arbitrary regular expressions, which is
perfect for this.
You could write a ruleset for the "Is Definitely Spam" parameter that
contains the line
To:     /^$/    yes
which would say that all mail with no To address is spam.
--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support