How to detect forged From and Reply-to addresses from your owndomain

[Daniel Straka]

Jules,

This is working quite well on the MailScanner server that only receives messages. What might be the drawbacks to leaving this rule in place? I haven't seen any FP's yet and it's marked a thousand messages as spam already. If there's not really any drawbacks...would there be a similar rule for a MailScanner server that receives and sends mail for our domain?

Thanks so much...Dan



>>> On 3/5/2010 at 9:25 AM, in message
<EMEW3|e357f65e924151aa18a0541db25d74dfm24GPZ0bMailScanner|ecs.soton.ac.uk|4B913
7E.2020105 at ecs.soton.ac.uk>, Julian Field <MailScanner at ecs.soton.ac.uk>
wrote:
> All you can check for is that they come from hosts outside your domain, 
> and have a sender address that includes your domain.
> 
> You can mark those as spam.
> 
> From: host:yourdomain.com and From: yourdomain.com no
> From: yourdomain.com yes
> FromOrTo: default no
> 
> and put that as a ruleset for "Is Definitely Spam =".
> 
> The "host:yourdomain.com" means "IP addresses which resolve to hostnames 
> ending in yourdomain.com". It's the same as the old "10.3." way of 
> specifying IP addresses, but uses DNS so you don't have to put in silly 
> numbers.
> The "yourdomain.com" means "email messages whose sender address ends in 
> yourdomain.com".
> 
> On 05/03/2010 16:00, Daniel Straka wrote:
>> We are receiving a ton of SPAM where the From and/or Reply-to addresses have 
> been forged so they appear to have come from users in our own domain. Of 
> course, these BC several users at a time. Is there any way to detect these 
> with MailScanner?
>>
>> Thanks,
>>
>>    
> 
> Jules