# Tips wanted on weeding out name spam

## audiodef

I run my own mail server on a Gentoo-based server. Anyone have any tips for weeding out that spam with people's names in the subject line?

----------

## bunder

You could write a custom spamassassin rule if you're okay with perl regex.   :Wink: 

https://wiki.apache.org/spamassassin/WritingRules#Header_rules

----------

## audiodef

I was wondering if I could do something like that. I mean, who IRL actually puts their name and only their name in the subject line anyway?   :Razz: 

EDIT: Being the usual idiot I am, I forgot I already had sufficient measures in place. I just needed to run sa-update and restart spamd.

----------

## audiodef

Not solved. 

I know it's not a bad mail server config because it's only affecting two accounts that have been used online over time. I'm hoping to figure out how to strengthen my spam filter. I could del these accounts, but I'd have to go around updating a lot of places that use these emails as logins and stuff.

----------

## NeddySeagoon

audiodef,

I greylist everything. That means nothing gets through at the first attempt from anywhere.

Spammers rarely do a retry :)

I check RDNS too but that drops some mail that I do want due to oddly configured mail systems.

----------

## audiodef

Thanks, Neddy.  Great idea.  :Smile: 

EDIT:

Trying Postgrey. It seemed to block all mail until I found in my logs that postfix was unable to connect to postgrey. This was because

https://wiki.gentoo.org/wiki/Postfix/Greylisting

gives a specific port which is not the actual port used in my instance. Checking ps aux | grep postgrey, I used the port from that output and now postgrey appears to be working, with expected log output.

----------

## figueroa

I've begun to just redirect all mail from selected top level domains that appear to only send spam using a procmail rule:

```
:0

* ^Return-Path.*@([-a-z0-9_\.]+)(\.stream>|\.info>|\.bi.>|\.date>|\.win>|\.c.\.cc>|\.top>|\.webcam>|\.me>|\.tv>|\.party>|\.faith>|\.review>|\.site>|\.trade>|\.click>|\.link>|\.rocks>|\.space>|\.work>|\.xxx>|\.xyz>|\.club>|\.press>|\.cricket>|\.download>|\.science>|\.study>|\.gdn>|\.men>|\.site>|\.world>|\.agency>|\.today>|\.icu>|\.life>|\.live>|\.fun>|\.pro>|\.loan>|\.gq>|\.store>)

{

LOG="Sender Domain Rule Return Path - "

:0: senderdom1

.junk/

}

:0

* ^From.*@([-a-z0-9_\.]+)(\.stream>|\.info>|\.bi.>|\.date>|\.win>|\.c.\.cc>|\.top>|\.webcam>|\.me>|\.tv>|\.party>|\.faith>|\.review>|\.site>|\.trade>|\.click>|\.link>|\.rocks>|\.space>|\.work>|\.xxx>|\.xyz>|\.club>|\.press>|\.cricket>|\.download>|\.science>|\.study>|\.gdn>|\.men>|\.site>|\.world>|\.agency>|\.today>|\.icu>|\.li[fv]e>|\.fun>|\.pro>|\.loan>|\.gq>|\.store>)

{

LOG="Sender Domain Rule From - "

:0: senderdom2

.junk/

}
```

I keep track of the hits by mailing myself a custom log daily, and I also check "junk" a couple of times a day. These two rules are run before SpamAssassin, and from these domains I get 0% false positives. This is 80% of all of my spam. The Return-Path rules catches 99.9% of these top level domain bad actors. The From rule is just a fall-back, but From is most often forged anyway.

You can modify rules like these to hit on selected user names in the To: or TO: header.

----------

