Well, all seems to be quieting down on their Mercury. I think they will be dealing with spam rejections from other servers for a day or two, but they can handle that. I do appreciate all your help. If it chokes again, I will be back!
A Client uses Mercury/32 version 4.52. Yesterday the system was compromised and is spewing out spam from a variety of sources. I am not familiar enough with your program to know how to help them. I went to the MercuryS / Connection Control and have check marks in first two boxes which are supposed to turn of relaying. I re-installed the program itself (as an update), although it is the current program.
I am at a loss as to what to do now.
Suggestions?
I'm not sure if you are saying that the problem is that the server is relaying incoming external messages to non-local recipients, or if the server itself or some workstation in the local network has been taken over by spammers and is sending messages through the server to non-local recipients? Some additional information would be helpful. You should check that the information in the local domains section of core configuration is correct (see Mercury help). Make sure to restart Mercury after making any changes in the configuration.
/Rolf
Here is where we get into my ignorance of the program. I checked the Local Domains section. It is correct. Basically we have Spammers sending (appear to be relaying) to non-local recipients. I have read through the manual and tried turning off all mail relaying except authenticated users (of which there are only 3 listed). I have enabled the Limit RCPT to 4 / Limit Relay Attempts to 3 and Enable Short-term blacklist for compliance failures. I added Spamhaus to the Spam Control blacklist definitions. The only thing that has slowed them down is when I enabled the GrayWall. And that is only a bandaid to the problem.
The computer does not appear to be hacked. They are running the software on an XP machine.
OK. First make sure all 4 checkboxes in Relaying control (Mercury SMTP server/Connection control) are checked. Then change all passwords in the AUTH password file to new, strong ones, and distribute them to the users. Now only authenticated SMTP connection can relay through this server. Finally make sure that the checkbox "Accept mail for invalid local addresses" (Mercury SMTP server/General) is not checked. This should stop any unwanted non-local traffic coming in though SMTP. Restart the server and, just to be double sure, verify that the new settings have been saved.
If you still see any relaying after this please provide an excerpt from the SMTP log so we get an example of what is happening.
/Rolf
I checked all 4 boxes (have before), changed the username passwords. However, it unchecks the last box upon reboot. It also unchecks the Compliance limit checks as well. I can recheck them all and they stay till I reboot.
I guess I just paste the information out of the Mercurys.log here, as I cannot see how to attach a file. I just clipped off a bit on the end as it grows remarkably fast!
The first clip is from the original relay that showed up in the logs yesterday evening. It is just a few lines. Below that I put an more current one since turning on everything:
T 20080616 105023 485051a6 Connection from 89.21.159.122
T 20080616 105024 485051a6 EHLO [89.21.159.122]
T 20080616 105025 485051a6 MAIL FROM:<ter.fenikshof@compaqnet.be>
T 20080616 105026 485051a6 RCPT TO: <asap@reidprographics.com>
T 20080616 105028 485051a6 DATA - 23 lines, 831 bytes.
T 20080616 105029 485051a6 QUIT
T 20080616 105029 485051a6 Connection closed with 89.21.159.122, 6 sec. elapsed.
T 20080616 105056 485051a7 Connection from 89.59.104.88
T 20080616 105057 485051a7 EHLO X6858.x.pppool.de
T 20080616 105059 485051a7 MAIL FROM:<linrrfvmet@rrfv.de>
T 20080616 105100 485051a7 RCPT TO: <asap@reidprographics.com>
T 20080616 105102 485051a7 DATA - 32 lines, 1859 bytes.
T 20080616 105103 485051a7 QUIT
T 20080616 105103 485051a7 Connection closed with 89.59.104.88, 7 sec. elapsed.
T 20080616 105211 485051a8 Connection from 216.33.127.81
T 20080616 105211 485051a8 EHLO mta21.charter.net
T 20080616 105211 485051a8 MAIL FROM:<nick@nixonaia.com> SIZE=11571
T 20080616 105212 485051a8 RCPT TO:<asap@reidprographics.com>
T 20080616 105212 485051a8 DATA - 333 lines, 11571 bytes.
T 20080616 105212 485051a8 QUIT
T 20080616 105212 485051a8 Connection closed with 216.33.127.81, 1 sec. elapsed.
T 20080616 105448 485051a9 Connection from 88.3.182.204
T 20080616 105450 485051a9 EHLO 204.Red-88-3-182.dynamicIP.rima-tde.net
T 20080616 105452 485051a9 MAIL FROM:<dwvillakaterinam@villakaterina.gr>
T 20080616 105457 485051a9 RCPT TO: <asap@reidprographics.com>
T 20080616 105500 485051a9 DATA - 48 lines, 1409 bytes.
T 20080616 105502 485051a9 QUIT
T 20080616 105502 485051a9 Connection closed with 88.3.182.204, 14 sec. elapsed.
T 20080616 105531 485051aa Connection from 68.188.242.5
T 20080616 105532 485051aa EHLO 68-188-242-5.dhcp.bycy.mi.charter.com
T 20080616 105532 485051aa MAIL From:<bonnermbvshrmu@bagi.com>
T 20080616 105532 485051aa RCPT To:<ken@reidprographics.com>
T 20080616 105532 485051aa DATA - 51 lines, 1524 bytes.
T 20080616 105532 485051aa QUIT
T 20080616 105532 485051aa Connection closed with 68.188.242.5, 1 sec. elapsed.
T 20080616 110246 485051ab Connection from 89.50.180.126
T 20080616 110247 485051ac Connection from 89.50.180.126
T 20080616 110247 485051ad Connection from 89.50.180.126
T 20080616 110250 485051ab HELO Nb47e.n.pppool.de
T 20080616 110251 485051ac HELO Nb47e.n.pppool.de
T 20080616 110251 485051ad HELO Nb47e.n.pppool.de
T 20080616 110254 485051ab MAIL FROM:<lbadham@wilcoxtravel.com>
T 20080616 110255 485051ac MAIL FROM:<lbadham@wilcoxtravel.com>
T 20080616 110255 485051ad MAIL FROM:<lbadham@wilcoxtravel.com>
T 20080616 110257 485051ab RCPT TO:<asap@reidprographics.com>
T 20080616 110257 485051ac RCPT TO:<ken@reidprographics.com>
T 20080616 110257 485051ad RCPT TO:<reid@reidprographics.com>
T 20080616 110311 485051ab DATA - 44 lines, 1628 bytes.
T 20080616 110311 485051ac DATA - 43 lines, 1607 bytes.
T 20080616 110311 485051ad DATA - 44 lines, 1614 bytes.
T 20080616 110316 485051ab QUIT
T 20080616 110316 485051ab Connection closed with 89.50.180.126, 30 sec. elapsed.
T 20080616 110317 485051ac QUIT
T 20080616 110317 485051ac Connection closed with 89.50.180.126, 30 sec. elapsed.
T 20080616 110317 485051ad QUIT
T 20080616 110317 485051ad Connection closed with 89.50.180.126, 30 sec. elapsed.
Current SMTP Log:
T 20080617 141146 4857c5de Connection from 209.160.72.31
T 20080617 141146 4857c5de HELO otto.northcottweb.com
T 20080617 141146 4857c5de MAIL FROM:<>
T 20080617 141146 4857c5dd EHLO mx.localdomain
T 20080617 141147 4857c5dd MAIL FROM:<>
T 20080617 141147 4857c5de RCPT TO:<asap@reidprographics.com>
E 20080617 141148 4857c5de Closed by GrayWall.
T 20080617 141148 4857c5de Connection closed with 209.160.72.31, 2 sec. elapsed.
T 20080617 141148 4857c5dd RCPT TO:<asap@reidprographics.com>
E 20080617 141148 4857c5dd Closed by GrayWall.
T 20080617 141148 4857c5dd Connection closed with 62.23.24.202, 2 sec. elapsed.
T 20080617 141149 4857c5df Connection from 64.34.196.197
T 20080617 141149 4857c5df EHLO california.beyond.co.za
T 20080617 141149 4857c5df MAIL FROM:<>
T 20080617 141150 4857c5df RCPT TO:<asap@reidprographics.com>
T 20080617 141150 4857c5e0 Connection from 78.136.54.125
T 20080617 141150 4857c5df DATA - 74 lines, 2416 bytes.
T 20080617 141150 4857c5df QUIT
T 20080617 141150 4857c5e0 EHLO shoutcast.radioromeos.gr
T 20080617 141150 4857c5df Connection closed with 64.34.196.197, 1 sec. elapsed.
T 20080617 141151 4857c5e0 MAIL FROM:<>
T 20080617 141151 4857c5e1 Connection from 200.221.4.97
T 20080617 141151 4857c5e1 EHLO sauron4.uol.com.br
T 20080617 141152 4857c5e2 Connection from 207.97.203.34
T 20080617 141152 4857c5e2 EHLO web1.dmv.org
T 20080617 141152 4857c5e0 RCPT TO:<asap@reidprographics.com>
T 20080617 141152 4857c5e2 MAIL FROM:<> SIZE=3303
T 20080617 141152 4857c5e1 MAIL FROM:<a.reis.ma.sspam@uol.com.br> SIZE=6169
T 20080617 141152 4857c5e3 Connection from 194.217.242.83
T 20080617 141152 4857c5e3 EHLO anchor-bounce-2.mail.thus.net
T 20080617 141152 4857c5e3 MAIL FROM:<>
T 20080617 141152 4857c5e0 DATA - 73 lines, 2325 bytes.
T 20080617 141152 4857c5e3 RCPT TO:<asap@reidprographics.com>
T 20080617 141152 4857c5e0 QUIT
T 20080617 141152 4857c5e0 Connection closed with 78.136.54.125, 2 sec. elapsed.
T 20080617 141153 4857c5e4 Connection from 212.87.81.145
T 20080617 141153 4857c5e4 EHLO bilva.ukisp.net
T 20080617 141153 4857c5e2 RCPT TO:<asap@reidprographics.com>
T 20080617 141153 4857c5e3 DATA - 109 lines, 3479 bytes.
T 20080617 141153 4857c5e1 RCPT TO:<asap@reidprographics.com>
T 20080617 141153 4857c5e3 QUIT
T 20080617 141153 4857c5e3 Connection closed with 194.217.242.83, 1 sec. elapsed.
E 20080617 141153 4857c5e1 Closed by GrayWall.
T 20080617 141153 4857c5e1 Connection closed with 200.221.4.97, 2 sec. elapsed.
T 20080617 141153 4857c5e2 DATA - 109 lines, 3303 bytes.
T 20080617 141153 4857c5e2 QUIT
T 20080617 141153 4857c5e2 Connection closed with 207.97.203.34, 1 sec. elapsed.
T 20080617 141153 4857c5e4 MAIL From:<> SIZE=3018
T 20080617 141154 4857c5e4 RCPT To:<asap@reidprographics.com>
E 20080617 141154 4857c5e4 Closed by GrayWall.
T 20080617 141154 4857c5e4 Connection closed with 212.87.81.145, 1 sec. elapsed.
T 20080617 141155 4857c5e5 Connection from 194.150.236.215
T 20080617 141155 4857c5d4 Connection closed with 217.19.176.2, 31 sec. elapsed.
T 20080617 141155 4857c5e5 HELO ns55.hiwit.net
T 20080617 141156 4857c5e5 MAIL FROM:<>
T 20080617 141156 4857c5e6 Connection from 216.139.225.41
T 20080617 141156 4857c5e6 EHLO lnn020.dotnetltd.co.nz
T 20080617 141157 4857c5e6 MAIL FROM:<>
T 20080617 141157 4857c5e5 RCPT TO:<asap@reidprographics.com>
E 20080617 141157 4857c5e5 Closed by GrayWall.
T 20080617 141157 4857c5e5 Connection closed with 194.150.236.215, 2 sec. elapsed.
T 20080617 141158 4857c5e6 RCPT TO:<asap@reidprographics.com>
T 20080617 141158 4857c5e6 DATA - 74 lines, 2259 bytes.
T 20080617 141158 4857c5e6 QUIT
T 20080617 141158 4857c5e6 Connection closed with 216.139.225.41, 2 sec. elapsed.
T 20080617 141203 4857c5e7 Connection from 216.127.94.108
T 20080617 141203 4857c5e7 EHLO idealhost.com
T 20080617 141203 4857c5e7 MAIL FROM:<>
T 20080617 141204 4857c5e7 RCPT TO:<asap@reidprographics.com>
E 20080617 141204 4857c5e7 Closed by GrayWall.
T 20080617 141204 4857c5e7 Connection closed with 216.127.94.108, 1 sec. elapsed.
T 20080617 141207 4857c5e8 Connection from 83.222.31.44
T 20080617 141207 4857c5e8 EHLO host1624.vps.masterhost.ru
T 20080617 141207 4857c5e8 MAIL FROM:<>
T 20080617 141208 4857c5e9 Connection from 212.187.249.130
T 20080617 141208 4857c5e9 HELO cali.aspectgroup.co.uk
T 20080617 141208 4857c5e8 RCPT TO:<asap@reidprographics.com>
T 20080617 141208 4857c5e9 MAIL FROM:<>
E 20080617 141209 4857c5e8 Closed by GrayWall.
T 20080617 141209 4857c5e8 Connection closed with 83.222.31.44, 2 sec. elapsed.
T 20080617 141210 4857c5e9 RCPT TO:<asap@reidprographics.com>
T 20080617 141210 4857c5e9 DATA - 74 lines, 2297 bytes.
T 20080617 141210 4857c5ea Connection from 65.59.191.61
T 20080617 141210 4857c5ea EHLO touchtone-s1.candidhosting.com
T 20080617 141210 4857c5e9 QUIT
T 20080617 141210 4857c5e9 Connection closed with 212.187.249.130, 2 sec. elapsed.
T 20080617 141210 4857c5ea MAIL FROM:<>
T 20080617 141211 4857c5eb Connection from 195.35.190.145
T 20080617 141211 4857c5ec Connection from 212.214.40.235
T 20080617 141211 4857c5eb EHLO mailrelay1.ilimburg.nl
T 20080617 141211 4857c5ec EHLO zoloft.inserve.se
T 20080617 141211 4857c5ea RCPT TO:<asap@reidprographics.com>
T 20080617 141211 4857c5eb MAIL FROM:<>
T 20080617 141211 4857c5ec MAIL FROM:<> SIZE=3573
T 20080617 141212 4857c5ea DATA - 74 lines, 2242 bytes.
T 20080617 141212 4857c5ea QUIT
T 20080617 141212 4857c5ea Connection closed with 65.59.191.61, 2 sec. elapsed.
T 20080617 141212 4857c5ed Connection from 195.140.123.83
T 20080617 141212 4857c5eb RCPT TO:<asap@reidprographics.com>
T 20080617 141213 4857c5ed EHLO relay66.s-web.de
T 20080617 141213 4857c5ec RCPT TO:<asap@reidprographics.com>
T 20080617 141213 4857c5ee Connection from 198.102.199.111
T 20080617 141213 4857c5ed MAIL FROM:<> SIZE=4062
T 20080617 141213 4857c5ef Connection from 195.16.135.138
T 20080617 141213 4857c5eb DATA - 115 lines, 3769 bytes.
T 20080617 141213 4857c5ee EHLO mx02.laplink.com
T 20080617 141213 4857c5ef EHLO timina.uponeits.com
T 20080617 141213 4857c5eb QUIT
T 20080617 141213 4857c5eb Connection closed with 195.35.190.145, 2 sec. elapsed.
T 20080617 141213 4857c5f0 Connection from 209.216.209.141
E 20080617 141213 4857c5ec Closed by GrayWall.
T 20080617 141213 4857c5f0 EHLO admin.moltenpixel.co.uk
T 20080617 141213 4857c5ec Connection closed with 212.214.40.235, 2 sec. elapsed.
T 20080617 141213 4857c5ee MAIL FROM:<>
T 20080617 141214 4857c5f0 MAIL FROM:<>
T 20080617 141214 4857c5ef MAIL FROM:<> SIZE=4351
T 20080617 141214 4857c5ed RCPT TO:<asap@reidprographics.com>
T 20080617 141214 4857c5f0 RCPT TO:<asap@reidprographics.com>
T 20080617 141214 4857c5ee RCPT TO:<asap@reidprographics.com>
E 20080617 141215 4857c5f0 Closed by GrayWall.
T 20080617 141215 4857c5f0 Connection closed with 209.216.209.141, 2 sec. elapsed.
T 20080617 141215 4857c5ed DATA - 119 lines, 4062 bytes.
T 20080617 141215 4857c5ef RCPT TO:<asap@reidprographics.com>
T 20080617 141215 4857c5ee DATA - 110 lines, 3496 bytes.
T 20080617 141215 4857c5ee QUIT
T 20080617 141215 4857c5ee Connection closed with 198.102.199.111, 2 sec. elapsed.
E 20080617 141215 4857c5ef Closed by GrayWall.
T 20080617 141215 4857c5ef Connection closed with 195.16.135.138, 2 sec. elapsed.
Further to what Rolf says you should also turn on authentication to ensure that an affected machine does not relay mail off the server with out providing proper authentication.
Not sure what are your domains and what are remote domains. How about showing us your mercury.ini file? We are especially interested in the [MercuryS] and [Domains] sections.
Apparently the configuration changes aren't saved properly. You must in some cases close the program with the Exit command on the File menu to make sure everything is saved. If it still doesn't work you can always edit the mercury.ini file manually.
Is asap@reidprographics.com a local user? All incoming spam seems to be sent to that address.
/Rolf
I did think of the Exit option, but that did not seem to make a difference. I noticed that quite a few of the emails to a local user have blank return addresses. I tried to make a rule in the Global Rule section with the From header containing no text. Told it to save them to a file. The file says something about ClamD not working.
Here is my mercury.ini file. As mentioned, I did not set it up, just trying to figure it out. Hope it makes more sense to you than I.
[General]
myname: reidprographics.com # Canonical name for this server
timezone: +0000 # Time Zone to add to date fields
file_api: 1 # Use the file api instead of queues
mailqueue: D:\MERCURY\QUEUE # Where mail should be put for delivery
smtpqueue: D:\MERCURY\QUEUE # Where the SMTP client should look for mail
newmail_path: D:\MERCURY\MAIL\~N
[Protocols]
D:\MERCURY\mercurys.dll
D:\MERCURY\mercurye.dll
D:\MERCURY\mercuryp.dll
D:\MERCURY\mercuryi.dll
[Mercury]
failfile: D:\MERCURY\Mercury\FAILURE.MER # Delivery failure notification template
confirmfile: D:\MERCURY\Mercury\CONFIRM.MER # Delivery confirmation template
aliasfile: D:\MERCURY\Mercury\ALIAS.MER # System-wide alias file
synfile: D:\MERCURY\Mercury\SYNONYM.MER # User synonym database
listfile: D:\MERCURY\Mercury\LISTS.MER # List of lists
# logfile: D:\MERCURY\Logs\MERCURY.LOG # Traffic logging file
bitnethost: cunyvm.cuny.edu # Relay host for ".bitnet" rewrites
poll: 10 # Seconds between queue polling cycles
scratch: D:\MERCURY\Scratch # Where we can write temp files
returnlines: 15 # How many lines of failed messages to return
postmaster: admin # Local user who acts as postmaster
broadcast: 1 # Yes, we want broadcast notifications, but
receipts: 0 # ... no broadcasts for receipt confirmations
PM_notify: 1 # Do/Don't send errors to the postmaster
change_owner: 1 # Change message ownership to recipient
# noticeboards: SYS:PUBLIC/NB # Where to find Pegasus Mail noticeboards
auto_tzone: 1 # If NZ, obtain timezone information from OS
[MercuryC]
# Session_logging: G:\ # Directory to write session transcripts
host: # mail mail host which relays for us
scratch: D:\MERCURY\Mercury # Where we can write temp files
poll: 30 # Seconds between queue polling cycles
returnlines: 15 # How many lines of failed messages to return
failfile: D:\MERCURY\Mercury\FAILURE.MER # Delivery failure template
esmtp: 1 # Yes, we want to use ESMTP extensions
[MercuryE]
Poll : 15
Timeout : 60
# Session_logging : o:\mail\mercury\melogs
# Session_logmode : 1
# Nameservers : 139.80.64.1
[MercuryD]
scratch : D:\MERCURY\Mercury
# Timeout : 30
# Poll : 120 # How often to check hosts for new mail (seconds)
[MercuryS]
Debug : 1
Logfile : D:\MERCURY\Logs\MERCURYS.LOG
Timeout : 30
Relay : 0
Strict_Relay : 1
Allow_Illegals : 0
SMTP_Authentication : 1
Auth_File : rpgauthpass
Compliance_Settings : 256
Maximum_Failed_Rcpts : 4
Max_Relay_Attempts : 0
SSL_Mode : 0
ST_Blacklisting : 288
No_VRFY : 0
[MercuryP]
Scratch : D:\MERCURY\Mercury
Stack : 32768
Mark_Read : 1
SSL_Mode : 0
Login_Disabled : 0
Timeout : 60
[MercuryX]
# Cmd_Delay: 10
# Cmd_Wait: 1
# IE4_Dialling: 0
# Use_ETRN: 1
# Clients_only: 1
# Sunday: 0800,1800,3,15,30,60
# Monday: 0830,2100,5,15,60,60
# Tuesday: 0830,2100,5,15,60,60
# Wednesday: 1500,1900,2,30,5,30
# Thursday: 0900,1900,2,30,0,0
# Friday: 0830,2100,5,15,60,60
# Saturday: 1031,1035,2,45,-1,0
# [Groups]
# testgroup : TESTGRP
[Domains]
# NetWare Server Domain name
reidprographics : reidprographics
reidprographics : reidprographics.com
# [Rewrite]
# * : pmail.gen.nz
[Maiser]
Maiser : Maiser
Helpfile : D:\MERCURY\Mercury\MAISER.HLP
Lookupfile : D:\MERCURY\Mercury\MAISER.LKP
Send_dir : D:\MERCURY\Mercury\SENDABLE
Logfile : D:\MERCURY\Logs\MAISER.LOG
Notify : D:\MERCURY\Mercury\TMP
Local_only : Y
[MercuryH]
Logfile : D:\MERCURY\Logs\MERCURYH.LOG
# Addressbook : \\CLIO\SYS\SYSTEM\MERCURY\PH.PMR
# MOTD : \\CLIO\SYS\SYSTEM\MERCURY\PH-MOTD.TXT
# Administrator : postmaster@clio.pmail.gen.nz
Timeout : 30
[MercuryI]
Scratch : D:\MERCURY\SCRATCH
Timeout : 120
Server_Port : 143
Idle_Timeout : 1800
SSL_Mode : 0
Login_Disabled : 0
[MercuryB]
Scratch : D:\MERCURY\SCRATCH
# Logfile : o:\mail\tmp\mercuryb.log
Timeout : 120
Server_Port : 80
# Session_logging : o:\mail\mercury\mblogs
# Session_logmode : 0
Idle_Timeout : 1800
# URL_Base : enter_your_domain_here
Close Mercury and edit mercury.ini with Notepad. Change the line SMTP_Authentication to 3, save the file and start Mercury again.
If reidprographics.com is the local domain I don't see any relaying happening in the logs, though. You should probably still add a few more entries to the [Domains] section (IP number, full host name).
/Rolf
[MercuryS]
Debug : 1
Logfile : D:\MERCURY\Logs\MERCURYS.LOG
Timeout : 30
Relay : 0
Strict_Relay : 1
Allow_Illegals : 0
SMTP_Authentication : 1
Auth_File : rpgauthpass
Ok, relaying is turned off, strict relaying and authentication turned on.
[Domains]
# NetWare Server Domain name
reidprographics : reidprographics
reidprographics : reidprographics.com
All mail for any local user with this domain will be received and processed, even from a spammer unless they have 4 or more failed RCPT TO: addresses. Since what you showed us in the previous message was going to asap@reidprographics.com this all looks like valid mail assuming you have a user called asap. This is a valid assumption since you do not have receive mail for non-local users turned on (Allow _Illegals : 0) a RCPT TO: with a bad local address would be bounced by MercuryS.
I have thinned it out considerably, but how come the Spamhalter program is not catching any of this. Also, in their asap@reidprographics.com they have over 3000 replies from failed and bounced email from Germany and Japan mostly. Since enforcing all the non-relay rules, I think that has slowed down, although the "Closed by GrayWall" is constantly going. So, there was relaying going on for most of the day.
I am not sure I understand the instructions on tightening up the [Domains] settings. Could you give me an example of what I should have in there?
btw, I really appreciate your helping me here. This is a printing company and they are nearly shut down by all this!
I might need a little instruction on how to add the changes you suggested to the [Domains] field.
Also, how do you set the filter to reject messages with nothing in the FROM field? I tried to put one in with a blank, but it does not seem to be working.
Thanks,
Someone is presumably using the asap@reidprographics.com address when sending out spam, so you get all the bounces. This is unfortunate but it's not a relay problem with the reidprographics.com server.
Adding further entries to the [Domains] section won't tighten anything up but will make it easier for Mercury to establish what is local and external. I would add mail.reidprographics.com and [98.174.168.52].
/Rolf
Also, in Exchange you can set it up where you can take out whole countries. Is there a way to knock out Russia & China for instance, or really all of East Asia, since my client does no interchange with them?
Bounces are expected to have <> as sender (to avoid mail loops) and it might not be a good idea to block them. You might for instance get a bounce of an (important) message actually sent by a local user. You could how ever try using a global filtering rule to move all bounce messages to a special mailbox that you can check periodically:
Headers: Reply-to
Contains this text: <>
Move message to another user
Parameter: bounces
GrayWall won't help with bounces as they are sent by real mail servers (that will retry), it only delays it a bit.
/Rolf
If you get SpamHalter properly trained and optionally use GrayWall you will get rid of most of the spam from user mailboxes. Blocking countries by IP address may be possible but I would advise against it.
/Rolf
Also, how do you set the filter to reject messages with nothing in theFROM field? I tried to put one in with a blank, but it does not seem to
be working.
There are two things here. One is a MAIL FROM: <> and the other is the missing or blank From: field in the message.
1. The MAIL FROM: <> is mail from a mail server IAW RFC 2821 and you do not want to block these. You especially do not want to reject them since that will get you on black lists as a non-compliant server that MUST accept mail from this address.
2. The missing or blank From: field is a different story. You can block this if you wish since every RFC 2822 message MUST have a From: field. You should be able to gin up a filter looking for " " in the From: field and do with it as yuo will.
