spam.blacklist.rules Syntax question

am.lists am.lists at gmail.com
Mon Mar 5 15:50:20 CET 2007


On 3/5/07, Glenn Steen <glenn.steen at gmail.com> wrote:
> On 05/03/07, am.lists <am.lists at gmail.com> wrote:
> > I'm seeing a boatload of spam coming from a particular set of domains.
> > They're pretty slick, but I'm catching them with scoring. I'd just
> > like to not have to score it every time if I already know they're junk
> > coming in.
> If you get several similar, the SA result cache should take care of this.
>
> > Since I know they're very-well-known and aren't ever likely to send
> > anything legit, I'd like to block their entire domain.
> >
> > Let's say their domain is "m01.net" -- and their MTA IP is 1.2.3.4
> > with a reverse lookup of something.mx01.net.
> >
> > In my spam.blacklist.rules, I added:
> >
> > From:     .m01.net     yes
> These aren't really like the ones in PF, place something like
> From:     *@*.m01.net     yes
> From:     *@m01.net     yes
>

Thanks for the clarification.


> > Thinking that would match. I'm still seeing messages from them that
> > are going through scoring and not just getting stopped at the
> > blacklist.
> Are you sure you are reacting on the correct information? Nothing
> spoofable/spoofed?
> Envelope information is what it needs be;)


Yes. I verified the reverse lookup. I went to the www version of their
domain name and it only has a generic unsubscribe page.



> > I didn't want to block by IP range in case they move.
> >
> > Would this be better moved to a postfix block instead of where I'm
> > [attempting] to do it?
> Might be a good idea, saves even more.

The only downside is I don't get the instrumentation of how effective
my blocking is if I do it there, right?

Thanks..

Angelo

(PS: I modified the urls/domains listed because they are getting this
thread flagged.)


More information about the MailScanner mailing list