<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML xmlns="http://www.w3.org/TR/REC-html40" xmlns:o =
"urn:schemas-microsoft-com:office:office" xmlns:w =
"urn:schemas-microsoft-com:office:word"><HEAD>
<META http-equiv=Content-Type content="text/html; charset=us-ascii">
<META content="MSHTML 6.00.6000.16788" name=GENERATOR>
<STYLE>@page Section1 {size: 612.0pt 792.0pt; margin: 72.0pt 90.0pt 72.0pt 90.0pt; }
P.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0cm 0cm 0pt; FONT-FAMILY: "Times New Roman"
}
LI.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0cm 0cm 0pt; FONT-FAMILY: "Times New Roman"
}
DIV.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0cm 0cm 0pt; FONT-FAMILY: "Times New Roman"
}
A:link {
COLOR: blue; TEXT-DECORATION: underline
}
SPAN.MsoHyperlink {
COLOR: blue; TEXT-DECORATION: underline
}
A:visited {
COLOR: purple; TEXT-DECORATION: underline
}
SPAN.MsoHyperlinkFollowed {
COLOR: purple; TEXT-DECORATION: underline
}
P.MsoAutoSig {
FONT-SIZE: 12pt; MARGIN: 0cm 0cm 0pt; FONT-FAMILY: "Times New Roman"
}
LI.MsoAutoSig {
FONT-SIZE: 12pt; MARGIN: 0cm 0cm 0pt; FONT-FAMILY: "Times New Roman"
}
DIV.MsoAutoSig {
FONT-SIZE: 12pt; MARGIN: 0cm 0cm 0pt; FONT-FAMILY: "Times New Roman"
}
SPAN.EmailStyle18 {
COLOR: windowtext; FONT-FAMILY: Arial; mso-style-type: personal-compose
}
DIV.Section1 {
page: Section1
}
</STYLE>
</HEAD>
<BODY lang=EN-US vLink=purple link=blue>
<DIV dir=ltr align=left><FONT face=Arial size=2><SPAN
class=204565513-21012009>These rules were posted by Tom Brown to the SARE Users
mailing list recently (and to the spamassassin users list by Michael
Hutchinson):</SPAN></FONT></DIV>
<DIV dir=ltr align=left><FONT face=Arial size=2><SPAN
class=204565513-21012009></SPAN></FONT> </DIV>
<DIV dir=ltr align=left><FONT face=Arial size=2><SPAN class=204565513-21012009>
<P class=MsoNormal><FONT face="Times New Roman" size=3><SPAN lang=EN-NZ
style="FONT-SIZE: 12pt">Subject: [Sare-users] forged
bounces...<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face="Courier New" size=2><SPAN lang=EN-NZ
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'"><o:p> </o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face="Courier New" size=2><SPAN lang=EN-NZ
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'">these rules might be
usefull. I woke up to a slew of these in my
inbox...<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face="Courier New" size=2><SPAN lang=EN-NZ
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'">my thinking in the score of
1 for TOM_TO_EQ_FR is that legit messages of this form should look VERY legit
and be unlikely to score high...<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face="Courier New" size=2><SPAN lang=EN-NZ
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'"><o:p> </o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face="Courier New" size=2><SPAN lang=EN-NZ
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'">header
__TOM_TO_EQ_FRa ALL =~
m/^From:\s+?<?(.+@.+)>?(\s|$)[^\0]*^To:.*\1/m<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face="Courier New" size=2><SPAN lang=EN-NZ
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'">header
__TOM_TO_EQ_FRb ALL =~
m/^To:\s+?<?(.+@.+)>?(\s|$)[^\0]*^From:.*\1/m<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face="Courier New" size=2><SPAN lang=EN-NZ
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'">meta
TOM_TO_EQ_FR __TOM_TO_EQ_FRa || __TOM_TO_EQ_FRb<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face="Courier New" size=2><SPAN lang=EN-NZ
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'">score
TOM_TO_EQ_FR 1<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face="Courier New" size=2><SPAN lang=EN-NZ
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'">describe TOM_TO_EQ_FR To and
>From are the same, could be a cc or a forgery<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face="Courier New" size=2><SPAN lang=EN-NZ
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'"><o:p> </o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face="Courier New" size=2><SPAN lang=EN-NZ
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'">header
__TOM_BOUNCE Subject =~ /(This mail is refused message|\*\*Message you sent
blocked by our bulk email filter\*\*|Your message could not be delivered|Non
delivery report: 5.9.4 \(Spam SLS\/RBL\)|Please confirm your message|Returned
mail: Quota exceeded)/<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face="Courier New" size=2><SPAN lang=EN-NZ
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'"><o:p> </o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face="Courier New" size=2><SPAN lang=EN-NZ
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'">meta
TOM_BAD_BOUNCE __TOM_BOUNCE && TOM_TO_EQ_FR<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face="Courier New" size=2><SPAN lang=EN-NZ
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'">describe TOM_BAD_BOUNCE
looks like a forged bounce (known sub and to==from)<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face="Courier New" size=2><SPAN lang=EN-NZ
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'">score
TOM_BAD_BOUNCE 2.5<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face="Courier New" size=2><SPAN lang=EN-NZ
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'"><o:p> </o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face="Times New Roman" size=3><SPAN lang=EN-NZ
style="FONT-SIZE: 12pt"><o:p> <SPAN class=204565513-21012009><FONT
face=Arial size=2>Cheers,</FONT></SPAN></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face="Times New Roman" size=3><SPAN lang=EN-NZ
style="FONT-SIZE: 12pt"><o:p><SPAN
class=204565513-21012009></SPAN></o:p></SPAN></FONT> </P>
<P class=MsoNormal><FONT face="Times New Roman" size=3><SPAN lang=EN-NZ
style="FONT-SIZE: 12pt"><o:p><SPAN
class=204565513-21012009>Phil</SPAN></o:p></SPAN></FONT></P>
<P class=MsoNormal></SPAN></FONT><FONT face=Arial><FONT size=2><SPAN
class=204565513-21012009>-</SPAN>-</FONT></FONT> <BR><FONT face=Arial
size=2>Phil Randal | Networks Engineer</FONT> <BR><FONT face=Arial
size=2>Herefordshire Council | Deputy Chief Executive's Office | I.C.T. Services
Division</FONT> <BR><FONT face=Arial size=2>Thorn Office Centre, Rotherwas,
Hereford, HR2 6JT</FONT> <BR><FONT face=Arial size=2>Tel: 01432 260160</FONT>
<BR><FONT face=Arial size=2>email: prandal@herefordshire.gov.uk</FONT>
</P></DIV>
<P><FONT face=Arial size=2>Any opinion expressed in this e-mail or any attached
files are those of the individual and not necessarily those of Herefordshire
Council.</FONT></P>
<P><FONT face=Arial size=2>This e-mail and any attached files are confidential
and intended solely for the use of the addressee. This communication may contain
material protected by law from being passed on. If you are not the intended
recipient and have received this e-mail in error, you are advised that any use,
dissemination, forwarding, printing or copying of this e-mail is strictly
prohibited. If you have received this e-mail in error please contact the sender
immediately and destroy all copies of it.</FONT></P>
<DIV> </DIV><BR>
<DIV class=OutlookMessageHeader lang=en-us dir=ltr align=left>
<HR tabIndex=-1>
<FONT face=Tahoma size=2><B>From:</B> mailscanner-bounces@lists.mailscanner.info
[mailto:mailscanner-bounces@lists.mailscanner.info] <B>On Behalf Of
</B>dw@lker.co.uk<BR><B>Sent:</B> 21 January 2009 13:40<BR><B>To:</B>
mailscanner@lists.mailscanner.info<BR><B>Subject:</B> Spam
Problem<BR></FONT><BR></DIV>
<DIV></DIV>
<DIV class=Section1>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial"><o:p> </o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face="Courier New" size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'">Hi<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face="Courier New" size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'"><o:p> </o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face="Courier New" size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'"> Can anyone tell me how
I can adjust mailscanner settings to help cure our current SPAM
problem?<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face="Courier New" size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'"><o:p> </o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face="Courier New" size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'">We are being plagued with
emails that are sent with the address of our users, but not from our mailserver.
<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face="Courier New" size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'">Basically an email is sent
to the user fred@domain from fred@domain. <o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face="Courier New" size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'">All 8 users seem to have the
same problem, so we are assuming that someone has had a virus at some point. The
return address is the same as the recipient, but the email server in the header
file is NOT our mailserver. These are not just bounced emails, they are from and
to the same person.<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face="Courier New" size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'">Unfortunately we are
receiving 100’s each per day.<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face="Courier New" size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'"><o:p> </o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face="Courier New" size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'">There will NEVER be a case
where an email would be sent by one of our users (ie with our domain email
addresses) unless the email originated from our
mailserver.<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face="Courier New" size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'"><o:p> </o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face="Courier New" size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'">Can I set mailscanner to
some how delete an email if it has one of our sender addresses but does not
ORIGINATE from our server. <o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face="Courier New" size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'">I have tried the watermark
feature thinking that would help but I think I'm
mistaken.<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face="Courier New" size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'"><o:p> </o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face="Courier New" size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'">Thanks<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face="Courier New" size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'"><o:p> </o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face="Courier New" size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'">Darren<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face="Courier New" size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'"><o:p> </o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial"><o:p> </o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face="Times New Roman" size=3><SPAN
style="FONT-SIZE: 12pt"><o:p> </o:p></SPAN></FONT></P></DIV><BR>-- <BR>This
message has been scanned for viruses and <BR>dangerous content by <A
href="http://www.mailscanner.info/"><B>MailScanner</B></A>, and is <BR>believed
to be clean. </BODY></HTML>