I just spent a nice chunk of my day looking to decreasing cpu load caused by spam. As we speak, my sever's load is between 2 and 10 with 500-2000 emails hitting my server per hour (depending on the time of day). I did notice that alot of spam likes to spoof the 'Received:' headers and act like it came from the mail server for the domain to your domain already. Hard to explain, so I will give an example: Code: Received: from [126.96.36.199] (port=3076 helo=mail.brenner-de.com) by mich1.wojjie.net with esmtp (Exim 4.52) id 1Gg2jL-0008Or-FG for firstname.lastname@example.org; Fri, 03 Nov 2006 12:21:24 -0500 Received: from 188.8.131.52 (HELO btmx4.sun.com) by game-monitor.com with esmtp (6CHY6PNUUJWM XMG9G) id 5EYFVA-5ZLBO0-1F for email@example.com; Fri, 3 Nov 2006 17:24:16 -0060 From: "Rhonda Rowland" <firstname.lastname@example.org> To: <email@example.com> Subject: Rhonda wrote: As you see, the top Received was added by my mail server when the email was received (I have seen headers where the sender was obviously a dial up user). The bottom one was on the email when received by my mail server. The funny thing is, if game-monitor.com already received it, why am I getting it again? I was just wondering if it is possible to write an ACL that will automatically deny these messages since most spam today seem to take on this approach. I understand that some domains may be relayed, and may work against people with relayed domains, but in most cases it is not. Even if you were to have a relay setup, you should be able to add your relay server as some sort of trusted relay and bypass the ACL. I will continue to research it when I have time, I am new to ACLs and have yet to find an example of one that checks the header.