On 03/13/2012 07:02 AM, m.roth at 5-cent.us wrote: > Ross Walker wrote: >> On Mar 12, 2012, at 5:25 PM, m.roth at 5-cent.us wrote: >> >>> Here's a question: is there any way to inspect an email's headers, and >>> reject it if the alleged FWDN in the From:" doesn't match the oldest >>> "Received: "? >> That would be problematic with dual homed mail gateways that received on >> internal interface and delivered on external interface that had different >> host names on each. >> > I'm just trying to think of ways around a blacklist... *esp* the way > dnsorb does, where they'll blacklist an entire block that belongs to a > hosting provider, who provides one external delivery address. > > mark "why, yes, that has happened to me several times" > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos Ok, so it wouldn't work to just use the oldest received, but a smarter inspection could check to see weather it actually passed through a server owned by the claimed domain. The reality is that what is need is to input this into a scoring system weighted with other spam evaluation mechanisms, something like spamassassin. The downside of spamassasin is that it is costly to run and must be run after the message is accepted by the smtp server. There already exist so many different spam control methods, many of them can run at the smtp level and reject mail prior to accepting. I get pretty decent rejection from greylisting. Postscreen is supposed to be quite good for detecting any kind of bot attacks. I'm currently using other techniques for bot attacks, but plan on switching to postscreen. I also run fail2ban and block IP addresses when I get repeated smtp errors from an IP, this substantially reduces any kind of bulk spam attack which attempts to guess valid mail recipients. I would look at the milter that Les mentioned. I haven't had a a chance yet. Nataraj