On Wed, 2010-03-10 at 15:08 -0600, Dennis B. Hopp wrote: > I meant blacklisting the sender address, not the MTA. > >From what you're describing the senders are all forged by somebody who bought or stole a list of valid hotmail etc. addresses and the corresponding addresses in your domain, so blacklisting anything is probably a bad idea because it wouldn't do anything except annoy the actual owner of the address. > There isn't anything in common that I can see that wouldn't be > susceptible to false positives. One even left the clients signature > intact. I've written fairly simple custom rules before but I'm not sure > how to do conditional rules. I'll have to dig into the docs a little > more. > Its not conditional, just using a meta rule and negating the Reply-to test in the meta:
describe FORGED_HOTMAIL Hotmail with non-Hotmail Reply-to address header __FORGED_HM1 From ~= /\...@hotmail\.com/i header __FORGED_HM2 Reply-to ~= /\...@hotmail\.com/i meta FORGED_HOTMAIL (__FORGED_HM1 && !__FORGED_HM2) score FORGED_HOTMAIL 5.0 and write cookie cutter rules for Yahoo and Gmail. OTOH if you're happy that a Japanese test won't generate FPs you can cover all three ISPs with one rule: describe FORGED_FROM Hotmail,Yahoo or Google with Japanese Reply-to header __FF1 From ~= /\@(hotmail|yahoo|gmail)\.com/i header __FF2 Reply-to ~= /\.jp/i meta FORGED_FROM (__FF1 && __FF2) score FORGED_FROM 5.0 Of course, if its just a few Japanese ISPs being used you can easily make _FF2 more specific. Martin