I just spent a nice chunk of my day looking to decreasing cpu load caused by spam. As we speak, my sever's load is between 2 and 10 with 500-2000 emails hitting my server per hour (depending on the time of day).
I did notice that alot of spam likes to spoof the 'Received:' headers and act like it came from the mail server for the domain to your domain already. Hard to explain, so I will give an example:
As you see, the top Received was added by my mail server when the email was received (I have seen headers where the sender was obviously a dial up user). The bottom one was on the email when received by my mail server. The funny thing is, if game-monitor.com already received it, why am I getting it again?
I was just wondering if it is possible to write an ACL that will automatically deny these messages since most spam today seem to take on this approach.
I understand that some domains may be relayed, and may work against people with relayed domains, but in most cases it is not. Even if you were to have a relay setup, you should be able to add your relay server as some sort of trusted relay and bypass the ACL.
I will continue to research it when I have time, I am new to ACLs and have yet to find an example of one that checks the header.
I did notice that alot of spam likes to spoof the 'Received:' headers and act like it came from the mail server for the domain to your domain already. Hard to explain, so I will give an example:
Code:
Received: from [80.51.255.150] (port=3076 helo=mail.brenner-de.com)
by mich1.wojjie.net with esmtp (Exim 4.52)
id 1Gg2jL-0008Or-FG
for [email protected]; Fri, 03 Nov 2006 12:21:24 -0500
Received: from 217.140.40.34 (HELO btmx4.sun.com)
by game-monitor.com with esmtp (6CHY6PNUUJWM XMG9G)
id 5EYFVA-5ZLBO0-1F
for [email protected]; Fri, 3 Nov 2006 17:24:16 -0060
From: "Rhonda Rowland" <[email protected]>
To: <[email protected]>
Subject: Rhonda wrote:I was just wondering if it is possible to write an ACL that will automatically deny these messages since most spam today seem to take on this approach.
I understand that some domains may be relayed, and may work against people with relayed domains, but in most cases it is not. Even if you were to have a relay setup, you should be able to add your relay server as some sort of trusted relay and bypass the ACL.
I will continue to research it when I have time, I am new to ACLs and have yet to find an example of one that checks the header.