Jerry wrote: > We are getting a lot of spam mail from countries outside of the US. > Anyone have a list of what country domain extensions are fairly Ok to > block? We don't have a lot of users whoreceive mail from outside the > US. We'd like to cut down onspam/spoof/virus messages. > > Currently I am blocking all mails from = *.nl *.br *.ch etc..
Personally, I find it unreasonable to outright block any country. The problem being if you post on a list like say, users@spamassassin.apache.org an off-list reply can come to you with help from *anywhere* in the world. For example you might think it safe to block Ireland, not knowing anyone from there. However, if Justin Mason emailed you off-list about a SA problem you'd be blocking him. Unless you can prove you strictly don't ever communicate with anyone from a given country (including mailing lists), and never want to use any OSS with any developers in that country, you're pretty much not-safe blocking it. That said, I do use ACLs in milter-greylist to greylist all of apnic and lacnic, as well as a variety of DUL networks in the US and EU, as well as any host with no RDNS. The greylist takes care of a lot of the spam without blocking legitimate mail, although there are a couple of legitimate messages hit each week, they only get delayed not dropped. Thus far this week 10,181 messages were greylisted by my setup. Of those 376 retried and were delivered. Of those, 316 were tagged as spam by SA, and 51 were not. A few of the 51 were SA FNs, but none of the 316 appear to be SA FPs. > Also, Is there a special rule to detect messages like the one below? Yeah, it's called a virus scanner. That's a mytob variant virus message.
