What you create by having a catch-all address domain, is an EXCELLENT
resource for spammers. They will use your domain as a FROM in their
spoofing spew. Any [misguided but popular] email software doing the [DDoS
enabling] "sender address verification" will pass the sender as legit, when
indeed it is not.

There are many ways to program around a catchall policy, and I encourage you
to find one. Maybe someone on the list can even help. Tell us, why do you
you need a catchall?



-----Original Message-----
From: smeevil [mailto:info@govannon.nl]
Sent: Wednesday, July 18, 2007 2:52 AM
To: users@spamassassin.apache.org
Subject: Catch all addresses and failure/undeliverable notification messages

Hello all,

I am looking for some advice regarding the following issue :

I have some domains which are using a catch all address.
On these addresses I get a lot of undeliverable / failure notices which are
theoretically legit.
Though they originate from spams spoofing the domains which makes those
messages spam in practice.

I am hoping any of you would know a solution to filter these message while
retaining the legit ones.
So far the only "solution" I can come up with is stop using catch all
address which in some cases is not feasible.

Thank you for your time
View this message in context:
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.