Michael,<br><br>Most of the SPAM I receive at work comes from users with dynamic IPs who manipulate the headers to appear as if they are a legitimate domain. If you look at the <b>From</b> line in the header you'll see the ISP issued hostname followed by the IP address. That's a big no-no. If they don't have a PTR record for mail, they are <b>PROBABLY</b> not legit. There are still some servers that don't have PTR records (like the L.A. Sheriff's Department), so you'll need to check your logs often. I usually send the postmaster a friendly email asking him to talk to his ISP about the PTR record.<br>
<br>Here's a sample of my header filtering/block list. We use Barracuda who uses SPAMAssassin and Mail Scanner with tweaks.<br><br>X-Barracuda-Connect: unknown\[(118|121|124|125)\.<br>X-Barracuda-Connect: unknown\[(145|157|188|193|195)\.<br>
X-Barracuda-Connect: unknown\[(189|190|194|196)\.<br>X-Barracuda-Connect: unknown\[(200|201|202|203)\.<br>X-Barracuda-Connect: unknown\[(207|208|209|210|211|212|213)\.<br>X-Barracuda-Connect: unknown\[(217|218|219|220|221|222)\.<br>
X-Barracuda-Connect:.*.*(-|\.)ppp<br>X-Barracuda-Connect:.*.*(dial-up.|dialin.|dialup.|dialpool.)<br>X-Barracuda-Connect:.*.*\.cable\.ntl\.com\[<br>X-Barracuda-Connect:.*.*\.edu\.tw\[<br>X-Barracuda-Connect:.*.*\.home\.<br>
X-Barracuda-Connect:.*.*\.internetdsl\.<br>X-Barracuda-Connect:.*.*\.mindspring\.com\[<br>X-Barracuda-Connect:.*.*\.ono\.com\[<br>X-Barracuda-Connect:.*.*\.pools\.<br>X-Barracuda-Connect:.*.*\.proxad\.net\[<br>X-Barracuda-Connect:.*.*\.tpnet\.pl\[<br>
X-Barracuda-Connect:.*.*\.wanadoo\.fr\[<br>X-Barracuda-Connect:.*.*\d+\.range<br>X-Barracuda-Connect:.*.*dhcp<br>X-Barracuda-Connect:.*.*dsl(-|\.)<br>X-Barracuda-Connect:.*.*dsl(-|\.)dyn<br>X-Barracuda-Connect:.*.*dyn(ip|dsl|adsl)(-|\.)<br>
X-Barracuda-Connect:.*.*dynamic(-|\.)<br>X-Barracuda-Connect:.*.*dynamicip(-|\.)<br>X-Barracuda-Connect:.*.*ipconnect\.<br>X-Barracuda-Connect:.*.*net\.ru\[<br>X-Barracuda-Connect:.*.*ppp(oe|ool)<br>X-Barracuda-Connect:.*.*static(-|\.)<br>
X-Barracuda-Connect:.*.*user(-|\.)<br>