Thanks for all your input. But some of you missed my point. I admit, the
subject is OT, and I was too lengthy in explanation.
Shorter
We DO accept mail from a trusted host, not under our control. THAT hosts
was tricked to accept spam. To identify this, we have no other choice
than to look at data, and I was especially thinking about "Received
from" headers.
Okay, I think this thread is exhausted, unless you still have some
exceptional idea now.
Sorry for the initial confusion, thanks for your feedback.
Hardy
On 07.10.2016 12:59, Hardy wrote: > Hi folks,
>
> 2nd Stage DNS blocking
> I could imagine I am not the first with this idea, and there is already
> a proper name for it. Let me describe:
> We receive spam via the usual MTA chain. Sometimes we receive mail from
> (free) mail providers like gmail and yahoo. Sometimes we fetchmail these
> latter ones to feed them to our MX.
> We only check the connecting server, and in some of the examples above
> it might even be trusted. But that one was tricked to take spam before.
> Random samples show me: We would not have taken most of the spam from
> the intermediate or even originating MTA or sender. I would like to run
> these "Received from" addresses against dnslists and/or blacklists in
> files.
> You obviously cannot do this before the acl data. I am not a regex wiz,
> and I think one needs an external script anyway to extract IPs. Hints?
> Ideas?
> Has anyone done before?
>
> Cheers
> Hardy
>