How to detect forged From and Reply-to addresses from your own domain

Julian Field MailScanner at
Fri Mar 5 16:25:34 GMT 2010

All you can check for is that they come from hosts outside your domain, 
and have a sender address that includes your domain.

You can mark those as spam.

From: and From: no
From: yes
FromOrTo: default no

and put that as a ruleset for "Is Definitely Spam =".

The "" means "IP addresses which resolve to hostnames 
ending in". It's the same as the old "10.3." way of 
specifying IP addresses, but uses DNS so you don't have to put in silly 
The "" means "email messages whose sender address ends in".

On 05/03/2010 16:00, Daniel Straka wrote:
> We are receiving a ton of SPAM where the From and/or Reply-to addresses have been forged so they appear to have come from users in our own domain. Of course, these BC several users at a time. Is there any way to detect these with MailScanner?
> Thanks,


Julian Field MEng CITP CEng
Buy the MailScanner book at

Need help customising MailScanner?
Contact me!
Need help fixing or optimising your systems?
Contact me!
Need help getting you started solving new requirements from your boss?
Contact me!

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
Follow me at and

This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the MailScanner mailing list