In a perfect BOFH world, I would just block 211.0.0.0/8 :D But, I'd say the best way to filter out that subject line would be just by using the the Imail filters. It's very unlikely that a legit message would ever use that *exact* subject, so I think you'd be okay.
Koree
Dan Geiser wrote:
Hello, All, I have a question concerning the best way to go about filtering out a specific e-mail message. For an overview of the current state of our spam filtering setup please see an e-mail I just sent to the list with the subject "Where I'm At Now and Where Should I Be Going?".
OK, below I have included the headers for an e-mail that one of my users forwarded to me. I have removed the username...
==================================================From <[EMAIL PROTECTED]> Fri Feb 28 00:58:23 2003Received: from SMTP32-FWD by pagerover.com (SMTP32) id A0000116C; Fri, 28 Feb 2003 00:58:23 -0500 Received: from mdkpower.dkpower.com [211.241.219.3] by pagerover.com with ESMTP (SMTPD32-6.06) id AA7C27540134; Fri, 28 Feb 2003 00:58:20 -0500 Received: from smtp0210.mail.yahoo.com ([206.169.238.250]) by mdkpower.dkpower.com with Microsoft SMTPSVC(5.0.2195.4453); Fri, 28 Feb 2003 15:01:02 +0900 Date: Fri, 28 Feb 2003 05:59:32 GMT From: "mcgough "<[EMAIL PROTECTED]> X-Priority: 3 To: <user>@pagerover.com Subject: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Return-Path: [EMAIL PROTECTED] Message-ID: <[EMAIL PROTECTED]> X-OriginalArrivalTime: 28 Feb 2003 06:01:03.0063 (UTC) FILETIME=[C651D670:01C2DEEE] X-RBL-Warning: NOPOSTMASTER: Not supporting [EMAIL PROTECTED] X-RBL-Warning: IPNOTINMX: X-RBL-Warning: ROUTING: This E-mail was routed in a poor manner consistent with spam [6000110f]. X-RBL-Warning: SPAMHEADERS: This E-mail has headers consistent with spam [6000110f]. X-Declude-Sender: [EMAIL PROTECTED] [211.241.219.3] X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for spam. X-Spam-Tests-Failed: NOPOSTMASTER, IPNOTINMX, ROUTING, SPAMHEADERS [8] X-UIDL: 8513 Status: R ==================================================
The current "hold weight" for PAGEROVER.COM is WEIGHT12. Obviously the weight of this message is substantially lower than that.
I could use my SENDERBLOCK list to block this individual sender ([EMAIL PROTECTED]) but that seems to specific a solution, i.e. a waste of a perfectly good entry which could so so much more. And I can't go too general and use the domain (comcast.net) because I'm sure there's much legitimate e-mail emanating from the domain name. I know there has to be a test built into Declude for situations like this but I'm not quite sure where to look. Does anyone have a suggestion as to how they would handle this situation?
All feedback is appreciated.
Thanks, Much! Dan Geiser [EMAIL PROTECTED]
==================================================================== This E-mail is scanned and free from viruses. www.nexustechgroup.com
--- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
--- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
