[SGVLUG] Good howto on spam fighting.

[Joel Witherspoon]

Michael,

Most of the SPAM I receive at work comes from users with dynamic IPs  who
manipulate the headers to appear as if they are a legitimate domain. If you
look at the *From* line in the header you'll see the ISP issued hostname
followed by the IP address. That's a big no-no. If they don't have a PTR
record for mail, they are *PROBABLY* not legit. There are still some servers
that don't have PTR records (like the L.A. Sheriff's Department), so you'll
need to check your logs often. I usually send the postmaster a friendly
email asking him to talk to his ISP about the PTR record.

Here's a sample of my header filtering/block list. We use Barracuda who uses
SPAMAssassin and Mail Scanner with tweaks.

X-Barracuda-Connect: unknown\[(118|121|124|125)\.
X-Barracuda-Connect: unknown\[(145|157|188|193|195)\.
X-Barracuda-Connect: unknown\[(189|190|194|196)\.
X-Barracuda-Connect: unknown\[(200|201|202|203)\.
X-Barracuda-Connect: unknown\[(207|208|209|210|211|212|213)\.
X-Barracuda-Connect: unknown\[(217|218|219|220|221|222)\.
X-Barracuda-Connect:.*.*(-|\.)ppp
X-Barracuda-Connect:.*.*(dial-up.|dialin.|dialup.|dialpool.)
X-Barracuda-Connect:.*.*\.cable\.ntl\.com\[
X-Barracuda-Connect:.*.*\.edu\.tw\[
X-Barracuda-Connect:.*.*\.home\.
X-Barracuda-Connect:.*.*\.internetdsl\.
X-Barracuda-Connect:.*.*\.mindspring\.com\[
X-Barracuda-Connect:.*.*\.ono\.com\[
X-Barracuda-Connect:.*.*\.pools\.
X-Barracuda-Connect:.*.*\.proxad\.net\[
X-Barracuda-Connect:.*.*\.tpnet\.pl\[
X-Barracuda-Connect:.*.*\.wanadoo\.fr\[
X-Barracuda-Connect:.*.*\d+\.range
X-Barracuda-Connect:.*.*dhcp
X-Barracuda-Connect:.*.*dsl(-|\.)
X-Barracuda-Connect:.*.*dsl(-|\.)dyn
X-Barracuda-Connect:.*.*dyn(ip|dsl|adsl)(-|\.)
X-Barracuda-Connect:.*.*dynamic(-|\.)
X-Barracuda-Connect:.*.*dynamicip(-|\.)
X-Barracuda-Connect:.*.*ipconnect\.
X-Barracuda-Connect:.*.*net\.ru\[
X-Barracuda-Connect:.*.*ppp(oe|ool)
X-Barracuda-Connect:.*.*static(-|\.)
X-Barracuda-Connect:.*.*user(-|\.)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.sgvlug.net/pipermail/sgvlug/attachments/20080511/42b6e6b7/attachment.html