Re: [Declude.Virus] blocking auto reply messages

[Matt]

Greg, I like your thinking very much here.  Unfortunately this requires knowing all the possible outgoing servers for all of your clients, and because I'm gatewaying a bunch of E-mail, that is near impossible to keep up with.  I'm not about to give up on the idea though. My BOUNCER filter that I described is very effective at handling NDR's when they contain original content, even if it is just the headers often times, but yesterday some child porn spammer used a real E-mail address of a customer and generated about 500 bounces, and I estimate that about 50 got through because they contained no content in the bounce such as NDR's sent by AOL.  Your filter might be a good way to manage the situation for individual domains that are having problems with real addresses being used, and implemented per-domain when a problem arises.  I'm wondering if you are aware of any NDR's that are getting through your setup, i.e. ones that don't contain the headers. Thanks, Matt System Administrator wrote: on 5/6/04 10:10 AM, Douglas Cohn wrote: Why are we looking for the beginning of an IP address? Our users were receiving a lot of messages like this ... Unknown user: [EMAIL PROTECTED] Original message follows. Received: from 0016190464.com [67.96.70.122] by mx2.acsworld.net (SMTPD32-8.05) id AC92E01A0136; Sat, 01 May 2004 17:54:26 -0400 Date: Sat, 01 May 2004 16:52:51 -0600 To: [EMAIL PROTECTED] Subject: Hidden message From: [EMAIL PROTECTED] Message-ID: <[EMAIL PROTECTED]> MIME-Version: 1.0 Content-Type: multipart/mixed; which indicates that [EMAIL PROTECTED] sent a message to [EMAIL PROTECTED]. However, that really didn't happen. The message contains "Unknown user", has headers but does not have the IP or name of our outgoing mail server in those original headers, so the message wasn't actually sent by an ACSWorld user. If they didn't send the original message, they don't want this message and constantly explaining forging viruses, how they work, why the return message gets returned, etc, was getting tiresome. Later, Greg --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com. -- ===================================================== MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =====================================================