|
Purpose: |
Check the To field to see if the field contains an address that is found in the BANNED-RECIPIENT list. |
|
Action: |
Quarantine a To recipient that is found on the Banned Recipient list. |
|
Default state: |
Enabled |
|
False Positive: |
This rule is highly accurate but there is a small chance of false positives. The source of false positive are senders who compose a message to themselves while including someone in your domain as a blind carbon-copy. |
|
Other notes: |
In an attempt to be more sophisticated, many spammers try to avoid the mistakes of their predecessors who use the same address for the To and From fields. Instead, what they do is to use a "To" field that contains an address that indicates some sort of public group (friends@public, member@the_internet, user@internet.com, etc.) which are quite clearly bogus. Just as in the case with identical To and From addresses, the intended recipient is only listed in the RFC-821 RCPT TO. Once again, such a message has the appearance that the person receiving the message is a blind carbon copy recipient. See sample below. |
Sample:
Received: from giulietta.logikos.it
(1Cust226.tnt1.ontario.ca.da.uu.net [208.254.108.226])
by giulietta.logikos.it (8.8.6/8.8.7) with SMTP
id FAA01336; Tue, 22 Dec 1998 05:28:45 +0100
From: fjd8@giulietta.logikos.it
Message-Id: <199812220428.FAA01336@giulietta.logikos.it>
To: user@the-internet.com
Date: Mon, 21 Dec 98 20:13:02 EST
Subject: hi
Do you know what the number one fact is, that will determine whether your
business is a success or
:
:
: