Getting spammed, what can I do?

V

Vpower

Verified User
Joined
Mar 11, 2004
Messages
47
Location
Oslo/finnmark, Norway
A users email adress is getting spammed with over 4000 emails pr. day from different hosts.
Spamassassin is installed.
Is there anything I can do except adding the spamming domains to the blacklist?
 
Look at the spamrating in Spamassasin for those mails. If it is too low, you could try using spamblocker (exim.conf).

If it is at leas 5 or 4, you can lower the threshold for that user ;)
 
Vpower said:
A users email adress is getting spammed with over 4000 emails pr. day from different hosts.
Spamassassin is installed.
Is there anything I can do except adding the spamming domains to the blacklist?
Click to expand...

We use Spamblocker and it blocks approx. a spam a second from our DA server :)

I wish Spamblocker had a graphical report as I think it's a good service enchancer.

We modified it to only use sbl-xbl.spamhaus.org instead of all of the ones in Jeffs original as we like the way spamhaus go about adding/deleting names. In my opinion some of the other blacklists tend to be a little neurotic and include anyone as soon as they get a whiff of a complaint and then slow to remove people. The downside of this is we still get a bit of spam through but no false positives which is also important to us.

If you're not giving Spamblocker a go then I recommend using it - also I understand Spam Assassin v3 is better which *should* be in the next update of DA on 10th December

Rob
 
Re: Re: Getting spammed, what can I do?

matrixx said:
I wish Spamblocker had a graphical report as I think it's a good service enchancer.
Click to expand...
I wish it did, too, Rob.

Care to write it :) ?

Jeff
 
If I had the time to learn how to I would - frankly I wouldn't know where to start at the moment ... maybe a nice Christmas project...

I guess it's a case of tapping into the exim reject logs and going from there right?

I've always tended to pay people who can do a better job than me - sometimes that works and sometimes it doesn't ;)

Rob
 
I guess it's a case of tapping into the exim reject logs and going from there right?
Click to expand...

You can do this with Mailgraph. I just cannot get it to work with Fedora 2 yet darnit.

http://www.syndicat.com/pub/exim/mailgraph/

http://people.ee.ethz.ch/~dws/software/mailgraph/

I am not sure if it works with Spamblocker but if all you are doing is blocking based on a few blacklists you can accomplish that with two lines of code in exim.conf.

http://www.exim.org/howto/rbl.html

deny dnslists = relays.ordb.org : sbl-xbl.spamhaus.org
message = rejected because $sender_host_address is in the blacklist at $dnslist_domain\n\ ($dnslist_text)
Click to expand...

Matthew
 
A users email adress is getting spammed with over 4000 emails pr. day from different hosts.
Spamassassin is installed.
Is there anything I can do except adding the spamming domains to the blacklist?
Click to expand...

Are you sure you did not accidently get him setup on a catch all email address? That would cause this.

At that rate about all you likely can do is get him a different email address.

Might setup an autoresponder with a notice of his new address encrypted like so: newemail(A-T)domain.com. That way he hopefully could alert all his friends to new email address.

But question is do you want to do 4000 autoreplies a day to mostly non-existant email addresses?

Matthew
 
hehe, no catch all email here :)
I managed to stop the spam by blocking the domain in DA.
When I investigated a bit, i found that it was sending from the same host: hermes.freestyleusa.com
 
From what I understand using Matthews suggestion or Jeffs spam blocker the emails will be rejected earlier and will not make it onto the server therefore reducing the load on your server.

I believe that you've still got to process all those mails if you block at DA level - someone will correct me if I'm wrong ;)

Rob
 
hci said:
You can do this with Mailgraph. I just cannot get it to work with Fedora 2 yet darnit.
Click to expand...
You most likely can. I just don't have time right now to look into it.

Note that I've made some changes to exim.conf which affect what gets logged to rejectlog, so you might either have to change back to exim-standard logging or change Mailgraph to read the information I'm logging.

I am not sure if it works with Spamblocker but if all you are doing is blocking based on a few blacklists you can accomplish that with two lines of code in exim.conf.
Click to expand...
Sure you can, but the code is already built into SpamBlocker which is already built in to DA.

Yes, our code is a bit more complex because we handle different blocklists in different ways, and because we implment whitelists and blacklists, and even a switch for which domains use the blocklists.

So why reinvent the wheel when the the code is already there and all you have to do is add domain names to use_rbl_domains?

Jeff
 
matrixx said:
I believe that you've still got to process all those mails if you block at DA level - someone will correct me if I'm wrong ;)
Click to expand...
If someone will be so kind as to point me to the code in exim.conf which handles the DA domain blocking, I can tell you where it gets done; I just have the time to look it up myself now.

Jeff
 
Thanks for all the help guys :)
Think I have almost everything under control now :)
Installed SA 3.0.1 and the spamblocker exim.conf and it seems to have been a success :)
Now another question: I`ve now got an email account with 100MB of mail. How do I delete it via ssh?
 
wasn`t over anyway..
How on earth can I block this:

Return-path: <>
Envelope-to: [email protected]
Delivery-date: Wed, 01 Dec 2004 18:57:03 +0100
Received: from mail by server.polarweb.net with spam-scanned (Exim 4.32)
id 1CZYit-0001Fb-BB
for [email protected]; Wed, 01 Dec 2004 18:57:03 +0100
Received: from [64.211.106.215] (helo=hermes.awcus.com)
by server.polarweb.net with esmtp (Exim 4.32)
id 1CZYit-0001FN-3U
for [email protected]; Wed, 01 Dec 2004 18:57:03 +0100
Received: by HERMES with Internet Mail Service (5.5.2653.19)
id <MTKFSNKV>; Wed, 1 Dec 2004 09:45:37 -0800
Message-ID: <C5E09A4714865644A844F471C25262088A51BA@HERMES>
From: System Administrator <[email protected]>
To: [email protected]
Subject: Undeliverable: Don`t worry, be happy!
Date: Wed, 1 Dec 2004 09:45:36 -0800
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2653.19)
X-MS-Embedded-Report:
Content-Type: multipart/mixed;
boundary="----_=_NextPart_000_01C4D7CD.9089606A"
X-Spam-Checker-Version: SpamAssassin 3.0.1 (2004-10-22) on server.polarweb.net
X-Spam-Level:
X-Spam-Status: No, score=0.3 required=5.0 tests=AWL autolearn=unavailable
version=3.0.1
X-UM-Flags: \SEEN

I`ve tried to add freestyleusa.com to blacklist_domains, no help.
I`ve tried to add hermes.awcus.com to bad_sender_host, no help

What can I do? heeeeeeelp!
 
hermes.awcus.com is not a real domain name.

The email is coming from 64.211.106.215.

There's no reverse DNS for 64.211.106.215.

So you should just put the IP# into the bad_sender_hosts file.

Jeff
 
It has worked for me in the past and I don't get emails from IP#s listed in that file.

I suppose you could temporarily add it to your firewalling.

I'll investigate the matter further when I have more time.

Jeff
 
I added 64.211.106.215 to bad_sender_hosts file, but the spam keeps coming
Click to expand...

I assume you have restarted exim after making the changes?

/etc/init.d/exim restart

Matthew
 
You're welcome.

I will be doing more checking as I have available time.

Fixing the problem, if there is one, is a very important part of moving forward on my exim.conf file, so this is quite important to me.

Jeff
 
You must log in or register to reply here.
Back
Top