Ok so I'm confused on how to SA could catch this.. URIBL OR Razor isn't catching these because of how quickly they are going out (sure a few days/hours later running SA against the email it will catch it) but that isn't the point. My question is how can SA check the previous mail relay from specific sources (ie yahoo, hotmail and a few other free webmail providers) Obviously you don't want to do this for every incoming email because of forged Received: only from specific sources.
I think a new SA rule needs to be created... just not sure how to approach it. Thanks. -L -- Larry Ludwig Empowering Media 1-866-792-0489 x600 Have you visited our customer service blog? http://www.supportem.com/blog/ Again, no direct plugin for host IPs. You have to use URIBL and SURBL lookups. But the time from initial spam run to being listed is pretty quick. The IP you listed has been watched for over a month now. ;) Thanks, Chris Santerre SysAdmin and Spamfighter www.rulesemporium.com www.uribl.com