spam.blacklist.rules Syntax question

am.lists am.lists at
Mon Mar 5 15:50:20 CET 2007

On 3/5/07, Glenn Steen <glenn.steen at> wrote:
> On 05/03/07, am.lists <am.lists at> wrote:
> > I'm seeing a boatload of spam coming from a particular set of domains.
> > They're pretty slick, but I'm catching them with scoring. I'd just
> > like to not have to score it every time if I already know they're junk
> > coming in.
> If you get several similar, the SA result cache should take care of this.
> > Since I know they're very-well-known and aren't ever likely to send
> > anything legit, I'd like to block their entire domain.
> >
> > Let's say their domain is "" -- and their MTA IP is
> > with a reverse lookup of
> >
> > In my spam.blacklist.rules, I added:
> >
> > From:     yes
> These aren't really like the ones in PF, place something like
> From:     *@*     yes
> From:     *     yes

Thanks for the clarification.

> > Thinking that would match. I'm still seeing messages from them that
> > are going through scoring and not just getting stopped at the
> > blacklist.
> Are you sure you are reacting on the correct information? Nothing
> spoofable/spoofed?
> Envelope information is what it needs be;)

Yes. I verified the reverse lookup. I went to the www version of their
domain name and it only has a generic unsubscribe page.

> > I didn't want to block by IP range in case they move.
> >
> > Would this be better moved to a postfix block instead of where I'm
> > [attempting] to do it?
> Might be a good idea, saves even more.

The only downside is I don't get the instrumentation of how effective
my blocking is if I do it there, right?



(PS: I modified the urls/domains listed because they are getting this
thread flagged.)

More information about the MailScanner mailing list