How to detect forged From and Reply-to addresses from your own domain

[Julian Field]

All you can check for is that they come from hosts outside your domain, 
and have a sender address that includes your domain.

You can mark those as spam.

From: host:yourdomain.com and From: yourdomain.com no
From: yourdomain.com yes
FromOrTo: default no

and put that as a ruleset for "Is Definitely Spam =".

The "host:yourdomain.com" means "IP addresses which resolve to hostnames 
ending in yourdomain.com". It's the same as the old "10.3." way of 
specifying IP addresses, but uses DNS so you don't have to put in silly 
numbers.
The "yourdomain.com" means "email messages whose sender address ends in 
yourdomain.com".

On 05/03/2010 16:00, Daniel Straka wrote:
> We are receiving a ton of SPAM where the From and/or Reply-to addresses have been forged so they appear to have come from users in our own domain. Of course, these BC several users at a time. Is there any way to detect these with MailScanner?
>
> Thanks,
>
>    

Jules

-- 
Julian Field MEng CITP CEng
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store

Need help customising MailScanner?
Contact me!
Need help fixing or optimising your systems?
Contact me!
Need help getting you started solving new requirements from your boss?
Contact me!

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
Follow me at twitter.com/JulesFM and twitter.com/MailScanner


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.