How to detect forged From and Reply-to addresses from your own
MailScanner at ecs.soton.ac.uk
Fri Mar 5 16:25:34 GMT 2010
All you can check for is that they come from hosts outside your domain,
and have a sender address that includes your domain.
You can mark those as spam.
From: host:yourdomain.com and From: yourdomain.com no
From: yourdomain.com yes
FromOrTo: default no
and put that as a ruleset for "Is Definitely Spam =".
The "host:yourdomain.com" means "IP addresses which resolve to hostnames
ending in yourdomain.com". It's the same as the old "10.3." way of
specifying IP addresses, but uses DNS so you don't have to put in silly
The "yourdomain.com" means "email messages whose sender address ends in
On 05/03/2010 16:00, Daniel Straka wrote:
> We are receiving a ton of SPAM where the From and/or Reply-to addresses have been forged so they appear to have come from users in our own domain. Of course, these BC several users at a time. Is there any way to detect these with MailScanner?
Julian Field MEng CITP CEng
Buy the MailScanner book at www.MailScanner.info/store
Need help customising MailScanner?
Need help fixing or optimising your systems?
Need help getting you started solving new requirements from your boss?
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
Follow me at twitter.com/JulesFM and twitter.com/MailScanner
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
More information about the MailScanner