in our organization (italian ISP) we have ten ironport appliance for relay service of our customers.
In last weeks we are receiving a lot of spam from clients probably infected by worms.
These messages are not blocked from IPAS.
The bodies, senders, recipients ed subjects change continuosly. It's an hard work for us insert filters every few hours.
All messages have a similar entry in the header. After the ehlo the worm insert a variable number of digit (from 4 to 8 digit).
Is it possibile to insert a filter that drops connections if after helo a numeric value is inserted ?
Thanks for your help.