On Monday 2005-November-28 15:28, Rob Carlson wrote: > The idea is (in the long term) to be able to send > port 25 traffic from hotmail to a test mail > server, where the spam could be discarded and we > could forward legitimate mail that comes from > clients who still use hotmail... Since 95% of > hotmail is trash, it would make our populace here Hmmm, I probably don't agree with this approach to the problem. Therefore most or all of this will be off-topic. How did you identify the hotmail IP addresses? Their SPF? "v=spf1 include:spf-a.hotmail.com include:spf-b.hotmail.com include:spf-c.hotmail.com include:spf-d.hotmail.com ~all" I won't try to chase down all those includes. > In the short term (in order to test our > postfix/procmail configuration) I want to be able When you say "procmail" I think you are going about this the wrong way. For spam reduction in Postfix, see here: http://jimsun.linxnet.com/misc/postfix-anti-UCE.txt and the various README files, especially http://www.postfix.org/SMTPD_ACCESS_README.html . I also like greylisting at least for unknown clients and hosts which appear to be dynamic. sqlgrey has a good regex for identifying likely dynamic clients, which in most cases turn out to be Windows zombies. You could use Postfix restriction classes and handle the mail from Hotmail differently within the same Postfix instance, too. While there is plenty of spam and abuse emanating from Hotmail.com clients, the *vast majority* of so-called "hotmail" spam comes from elsewhere: Windows zombies pretending to send from hotmail users. The proper way to deal with that would be the from_freemail_hosts class described in the aforelinked Cheat Sheet. > to ssh to my home machine and mail to myself at > work (with the hope that the mail will be routed > AWAY from our primary mailserver to the test mail > server). How are you submitting this mail? You are not hotmail.com, I bet. > So, I'm right now, I can ssh to my home machine, > but any mail I send still goes to the primary server. If your IP is in the set but you use a client which calls sendmail(1) for submission, you are not going to hit your port 25, thus no DNAT will take place. Also if this machine is the one you're DNAT'ing, you need your DNAT rules in OUTPUT, not PREROUTING. > Thanks for the help so far and any more... Whew, at least THAT part of it was on topic. :) -- mail to this address is discarded unless "/dev/rob0" or "not-spam" is in Subject: header
