How to detect forged From and Reply-to addresses from your owndomain

Daniel Straka Dstraka at
Fri Mar 5 20:24:04 GMT 2010


This is working quite well on the MailScanner server that only receives messages. What might be the drawbacks to leaving this rule in place? I haven't seen any FP's yet and it's marked a thousand messages as spam already. If there's not really any drawbacks...would there be a similar rule for a MailScanner server that receives and sends mail for our domain?

Thanks so much...Dan

>>> On 3/5/2010 at 9:25 AM, in message
7E.2020105 at>, Julian Field <MailScanner at>
> All you can check for is that they come from hosts outside your domain, 
> and have a sender address that includes your domain.
> You can mark those as spam.
> From: and From: no
> From: yes
> FromOrTo: default no
> and put that as a ruleset for "Is Definitely Spam =".
> The "" means "IP addresses which resolve to hostnames 
> ending in". It's the same as the old "10.3." way of 
> specifying IP addresses, but uses DNS so you don't have to put in silly 
> numbers.
> The "" means "email messages whose sender address ends in 
> On 05/03/2010 16:00, Daniel Straka wrote:
>> We are receiving a ton of SPAM where the From and/or Reply-to addresses have 
> been forged so they appear to have come from users in our own domain. Of 
> course, these BC several users at a time. Is there any way to detect these 
> with MailScanner?
>> Thanks,
> Jules

More information about the MailScanner mailing list