Robert Swan wrote:
OK the rule to block an unknown or a mail server without a PTR works
great:
*header LOCAL_INVALID_PTR2 Received =~ /from \S+ \(unknown /*
*score LOCAL_INVALID_PTR2 2*
*describe LOCAL_INVALID_PTR2 Header contains no PTR2*
Now how can I make a rule to score if the PTR is different than the
reported mail server like the SPAMMER below?:
Received: from *cirencester.co.uk* (*c204131.adsl.hansenet.de*
[213.39.204.131])
I would advise against scoring items like that. Want to see an example
of a legitimate system looking like that? Look at the headers for this
message. Here are one of the lines from your message coming in to my
system through this list:
Received: from mail.apache.org (hermes.apache.org [209.237.227.199])
Here we're lucky and the domain is at least the same, but there is no
need for that to even happen. Especially then you think about virtual
hosting.
Richard
