Sudden surge in spam emails and also spam emails with attachments as well

nealdxmhost

nealdxmhost

Verified User
Joined
Jan 1, 2009
Messages
237
Location
Los Angeles CA
Hey all,

I have been seeing a sudden surge in spam emails coming in both on my email and many customers as well. Many of these emails are showing attachments as well which I am moving to my spam folder or sending to teachisspam folder but they keep coming like crazy.

Here is a sample header
Code: 
Return-Path: <[email protected]>
Delivered-To: [email protected]
Received: from da603.namelessnet.net
	by da603.namelessnet.net (Dovecot) with LMTP id Hw9GBO0uIlf+EgAAVC6xjw
	for <[email protected]>; Thu, 28 Apr 2016 08:40:29 -0700
Return-path: <[email protected]>
Received: from mail by da603.namelessnet.net with spam-scanned (Exim 4.86)
	(envelope-from <[email protected]>)
	id 1avo3H-0001Fj-DN
	for [email protected]; Thu, 28 Apr 2016 08:40:28 -0700
X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on
	da603.namelessnet.net
X-Spam-Level: 
X-Spam-Status: No, score=-97.1 required=1.1 tests=BAYES_50,HELO_DYNAMIC_DHCP,
	HTML_MESSAGE,MIME_HTML_MOSTLY,RDNS_NONE,SPF_SOFTFAIL,TVD_SPACE_RATIO,
	T_SPF_HELO_TEMPERROR,USER_IN_WHITELIST autolearn=no autolearn_force=no
	version=3.4.1
Received: from [77.222.1.209] (helo=adsl-lns3-l465.crnagora.net)
	by da603.namelessnet.net with esmtp (Exim 4.86)
	(envelope-from <[email protected]>)
	id 1avo3D-0001FL-Ex
	for [email protected]; Thu, 28 Apr 2016 08:40:24 -0700
From: <[email protected]>
To: <[email protected]>
Subject: Doc70
Thread-Topic: Doc70
Thread-Index: AdF+sJZYKtxaTvOhSFC+rMKD/CUwyg==
Date: Thu, 28 Apr 2016 17:40:20 +0200
Message-ID: <[email protected]>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [192.168.15.26]
Content-Type: multipart/mixed;
	boundary="_004_A97979E427239B596649E0E7C2501E98424F7436A89AA0698boroloca_"
MIME-Version: 1.0
SpamTally: Final spam score:
 
I might have forgotten to check something when I did some DNS work for you.
In every /etc/named.conf which is -not- connecting with Directslave or something else but only with multiserver setup of Directadmin itself, add this line somewhere under options and restart bind:
Code: 
allow-transfer {"none";};

Next to that, check if the ip's are different or if they are all in the 77.222.1.209 range.
If they are all in that range block them by csf using:
csf -d 77.222.0.0/19
it's a Montenegro dsl provider.

And ofcourse report them to spamcop.net too. :)
 
You must log in or register to reply here.
Back
Top