reject joe job email where Return-Path does not = from:


Well-Known Member
Sep 13, 2003
Today I got 3000 joe-job bounce emails which were sent with one of my email addresses as the return-path but with a different from: and reply-to: address.

Return-Path: <[email protected]>
Received: from ( by (7.3.120)
id 4628E49E18DB4454; Sun, 20 Apr 2008 19:41:00 +0200
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: Av//AM4cC0i+QZAyPGdsb2JhbACRGB4YAQEBFBw
X-cp3a: YES
X-IronPort-AV: E=Sophos;i="4.25,686,1199660400";
Received: from unknown (HELO ([])
by with SMTP; 20 Apr 2008 19:40:48 +0200
X-Originating-IP: by smtp.; Sun, 20 Apr 2008 13:40:47 -0500
Message-ID: <[email protected]>
From: "Somebody Shelton" <[email protected]>
Reply-To: "Somebody Shelton" <[email protected]>
To: [email protected]
Subject: Inexpensive Louis Vuitton bags
Date: Sun, 20 Apr 2008 13:40:47 -0500
Content-Type: text/plain;
Content-Transfer-Encoding: 7Bit

Return-path: <[email protected]>
Received: from ([])
by with smtp (Exim 4.63)
(envelope-from <[email protected]>)
id 1Jnd3s-0006Gl-SS
for [email protected]; Sun, 20 Apr 2008 19:10:45 +0200
X-Originating-IP: by smtp.; Sun, 20 Apr 2008 13:19:20 -0500
Message-ID: <[email protected]>
From: "somebodyelse Beard" <[email protected]>
Reply-To: "somebodyelse Beard" <[email protected]>
To: [email protected]
Subject: Inexpensive Louis Vuitton bags
Date: Sun, 20 Apr 2008 13:19:20 -0500
Content-Type: text/plain;
Content-Transfer-Encoding: 7Bit

Return-Path: <[email protected]>
Received: (qmail 44112 invoked by uid 3179); 19 Apr 2008 05:31:08 -0000
Delivered-To: chrismd-westminsterspeed:[email protected]
Received: (qmail 44109 invoked from network); 19 Apr 2008 05:31:08 -0000
Received: from (
by with SMTP; 19 Apr 2008 05:31:08 -0000
Received: from localhost (localhost [])
by (Postfix) with SMTP id E8F542BD3A;
Sat, 19 Apr 2008 01:31:07 -0400 (EDT)
Received: from (unknown [])
by (Postfix) with SMTP id 21B342BCF0;
Sat, 19 Apr 2008 01:30:53 -0400 (EDT)
X-Originating-IP: by smtp.; Sat, 19 Apr 2008 01:30:47 -0500
Message-ID: <[email protected]>
From: "somebodyelse Ricks" <[email protected]>
Reply-To: "somebodyelse Ricks" <[email protected]>
To: [email protected]
Subject: Replica watch is a perfect gift
Date: Sat, 19 Apr 2008 01:30:47 -0500
Content-Type: text/plain;
Content-Transfer-Encoding: 7Bit
I can see no legitimate reason for my mailserver to accept bounces or any email where the return-path is different than the from address. Further no one on the server uses a separate reply-to header so I can see no legitimate reason to accept email where the reply-to header is different than the from header.

Unfortunately when the victim of such a joe-job the mailer daemon returns are all different formats -- doesn't seem there is much of a standard there. When they often include the original message, the headers clearly show the insanity of bouncing to the return-path when it doesn't match the from or reply to address, so possibly I could scan based on this...

Enabling domain keys and SPF help prevent some of the spammers email from getting through, but you still get the bounces it seems from these mail servers that still bounce instead of fail :(

Any ideas for an easy solution?
Last edited:


Well-Known Member
Feb 17, 2005
Austin, TX
cPanel Access Level
Reseller Owner
The problem I've found with MailScanner's watermarking is that other legit e-mails (like out of office replies) will get spammed for some strange reason, too.

I've had to disable watermarking until there's a way to enable/disable it per-domain. Right now it's an all or nothing approach, unfortunately.

If I'm wrong, then PLEASE correct me!


UPDATE: I was wrong! You CAN specify a ruleset for several different watermarking settings. Therefore, you can enable or disable watermarking behavior per domain. Sorry for any confusion - Go get MailScanner from ConfigServer!
Last edited: