On Thu, May 06, 2010 at 08:02:13AM -0500, J.D. Bronson wrote:
> I am seeing random spam come in with this consistent type of 'from':
If it's consistent, it's not quite random. :) What other
characteristics do these share? I bet there are other ways to block
this.
> (r...@www.cheapquotesonline.com)
> (r...@chat.biznizpro.com)
> (r...@safetyaboutonline.net)
>
> ..they all begin with 'ret@' and I need some help creating a
> header_check (and/or body check) to catch this.
What was the envelope sender address? Different? If not, I'm betting
that a reject_rhsbl_sender lookup at DBL or other lists might work
for some of them.
Since a RHSBL would tend to list the parent domains, this might be
better done by a policy service, to strip the "www." and "chat."
hostname parts.
> I tried this, but it didnt work:
>
> /^From:.ret@/ REJECT unsolicited email
Even if adjusted to match the actual string, I don't think this is
safe. I can imagine there are legitimate senders with a localpart
"ret". Maybe someone's initials, or a nickname ...
--
Offlist mail to this address is discarded unless
"/dev/rob0" or "not-spam" is in Subject: header
