Identified Spam issue - how to block

[nobleclem]

So I have been getting tons of spam and have found a relationship between them all.

The emails always follow a pattern if you compare the IP and Hostname.
Received: from 123.srv.static.hopquickeas2.com ([209.144.196.123])
Received: from 197.ml.static.hopquickeas2.com ([209.144.196.197])
Received: from 55.srv.static.hopquickeas2.com ([209.144.196.55])

Pattern: {Last_IP_Octet}.{}.static.{DOMAIN}.{TLD}

Is there anyway to check for a pattern like this? I can provide more of these as I get them.

 

[chatwizrd]

If you are having problems from the same hosts you can add them to your firewall or /etc/virtual/blacklist_senders

 

[nobleclem]

unfortunately no. I did that at first a month or two ago and the host names and ips just keep changing.

 

[chatwizrd]

So they are not always from the domain: hopquickeas2.com

 

[nobleclem]

No I just don't have any that I have not deleted from anywhere else at this time.

Also this host name will spam me probably until they get on a RBL then they will change host names and IP's and I will get another wave. Maybe in a day or so I will start getting a new host name spamming me.

What I was hoping to do is some fancy regular expression to match the ip and the host name and just block the delivery.

 

[chatwizrd]

Well yes you can stop it with a exim filter. I do not know filters well in exim maybe someone else can reply.

But I think blocking {Last_IP_Octet}.{}.static.{DOMAIN}.{TLD}

may potentially block alot of legitimate traffic as well.

 

[nobleclem]

any other options? Spam Assassin doesn't seem to be catching it.

 

[nobaloney]

Once you've identified the /25s with the problem, you can block those /25s.

Update to the latest version of SpamBlocker, found here, but be sure to read the instructions.

Put the /25s into the top of the /etc/virtual/bad_sender_hosts file.

Jeff

 

[nobleclem]

see jlasman the problem is that it changes. So its no more work than adding the ip itself and maintaining it manually. My goal is to not have to do that.

So here is a new one after I block the 3 ip's above:
Received: from 4.srv.static.manianet.info ([66.240.222.4])
Received: from 136.srv.static.manianet.info ([66.240.222.136])

 

[nobaloney]

You could write a script to grep your logs to see what's going on, and when it finds the problem (it can grep and count) add the line at the top of /etc/virtual/bad_sender_hosts file.

Jeff

 

[nobleclem]

oh I like that idea. I think I could come up with something that counts and detects abuse based on the hostname/ip pattern I am wanting to catch.

So simple I don't know why I didn't think of it.

Thank you!

 

[nobaloney]

Note that when the new SpamBlocker gets out of beta it will use a separate file for blocking IP subnets. If you've got a script it should be easy to change, and at that time it won't be necessary to put the subnet at the top.

Jeff

 

[nobleclem]

can comments be placed in the bad_sender_hosts file?

 

[nobaloney]

No. It's a limitation of exim and how it uses the file.

Jeff