I've noticed that a lot of Nigerian style spam has an interesting
characteristic where they use a from address of one public free email
service and a reply-to address of another free public email service. For
example, a spam from yahoo.co.jp will have a reply-to of yahoo.com or
hotmail.com. So I created an ACL that seems to be working to catch these.
deny condition = ${if
match_domain{${domain:$h_Reply-to:}}{/etc/exim/run/freemaildomains.txt}}
condition = ${if
match_domain{${domain:$h_From:}}{/etc/exim/run/freemaildomains.txt}}
!condition = ${if eq{${domain:$h_From:}}{${domain:$h_Reply-to:}}}
aim.com
aol.co.uk
aol.com
bellsouth.net
comcast.net
compuserve.com
excite.com
fastmail.com
gmail.com
google.com
hotmail.co.uk
hotmail.com
hotpop.com
juno.com
lycos.com
mail.com
msn.com
myspace.com
myway.com
sbcglobal.com
uymail.com
walla.com
web.de
yahoo.ca
yahoo.co.au
yahoo.co.in
yahoo.co.jp
yahoo.co.uk
yahoo.com
yahoo.de
yahoo.es
yahoo.fr
yahoo.it
yahoo.mx
yahoo.ru
yahoo.tw