Spammer was not rejected

H

heininger

New member
Joined
Mar 18, 2004
Messages
55
Location
Europe / Vienna
Hi!

I got an abuse report about spam sent over our server.
The IP address that delivered the spam mail was always rejected expect once.

2008-01-07 22:23:35 1JBzRW-xxxxxx-K3 <= [email protected] H=xxx.dip0.t-ipconnect.de [SPAM.MERI.PADD.RESS] P=smtp S=2999 [email protected] T="ª≈¶¸≠ߧ˙∫ª∂©fßJ√ƒ´·•˛ªr§j∏ı∑n¿YªR-" from <[email protected]> for [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected]

All the xxx are from me to obfuscate email data.
The sender domain and recipient domains are not hosted on our server.

Could it be that the chars behing T= are a problem?
All other emails from the spammer IP had similar recipients but cleartext behind T=

TIA,
Mike
 
Could it be that as I have hotmail.com in the /etc/virtual/whitelist_domains file? I think this file only affects local delivered emails but maybe I am wrong :)

TIA,
Mike
 
you should not put hotmail.com in /etc/virtual/whitelist_domains otherwise it skips all spam checkings. Instead, you're suggested to put *@hotmail.com to spamassassin's whitelist.

On the other hand, you should put HELO check to your exim.conf for hotmail.com mails for rejecting forged sender. Please search this forum for info.
 
will-lo said:
you should not put hotmail.com in /etc/virtual/whitelist_domains otherwise it skips all spam checkings. Instead, you're suggested to put *@hotmail.com to spamassassin's whitelist.
Click to expand...

But when the Email is blocked by some RBL entry in the exim.conf the email will never be checked by spamassassin.

will-lo said:
On the other hand, you should put HELO check to your exim.conf for hotmail.com mails for rejecting forged sender. Please search this forum for info.
Click to expand...

Thanks for the hint. I will search for this.

Mike
 
heininger said:
But when the Email is blocked by some RBL entry in the exim.conf the email will never be checked by spamassassin.

Thanks for the hint. I will search for this.
Click to expand...

In my experience, the lone use of zen.spamhaus.org cut 80% of spam. HELO check for some major free email provider like hotmail, yahoo, gmail cut some other percentage. Further applying sanesecurity plugin for clamAV cut almost 98% of spam. Spamassassin would then become useless.
 
heininger said:
Hi!

I got an abuse report about spam sent over our server.
The IP address that delivered the spam mail was always rejected expect once.

2008-01-07 22:23:35 1JBzRW-xxxxxx-K3 <= [email protected] H=xxx.dip0.t-ipconnect.de [SPAM.MERI.PADD.RESS] P=smtp S=2999 [email protected] T="ª≈¶¸≠ߧ˙∫ª∂©fßJ√ƒ´·•˛ªr§j∏ı∑n¿YªR-" from <[email protected]> for [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected]

All the xxx are from me to obfuscate email data.
The sender domain and recipient domains are not hosted on our server.

Could it be that the chars behing T= are a problem?
All other emails from the spammer IP had similar recipients but cleartext behind T=

TIA,
Mike
Click to expand...


I also neet this s-h-i-t hinet.net (From Taiwan) company throught my server send mail ,Crazy S-h-it.
 
heininger said:
Could it be that as I have hotmail.com in the /etc/virtual/whitelist_domains file? I think this file only affects local delivered emails but maybe I am wrong :)
Click to expand...

Can someone confirm that the whitelist_domains file also affects emails from foreign addresses to foreign addresses.

TIA,
Mike
 
heininger said:
Thanks for the hint. I will search for this.
Click to expand...
Actually we tried it in SpamBlocker (I think it's still in SpamBlocker3 Beta) but if anyone sends mail from their own desktop with a hotmail return address (much more common than you'd think), it blocks that mail.

So we no longer recommend it and it won't be in the final SpamBlocker3.

Critical, though, that you don't whitelist popular domains used for spamming. Instead whitelist only specific senders. Or if you can get a list of all the hotmail servers, specifically whitelist those hosts.

Jeff
 
jlasman said:
Actually we tried it in SpamBlocker (I think it's still in SpamBlocker3 Beta) but if anyone sends mail from their own desktop with a hotmail return address (much more common than you'd think), it blocks that mail.

So we no longer recommend it and it won't be in the final SpamBlocker3.

Critical, though, that you don't whitelist popular domains used for spamming. Instead whitelist only specific senders. Or if you can get a list of all the hotmail servers, specifically whitelist those hosts.

Jeff
Click to expand...

Thanks for the hint! We already did that some days ago, as it seems that the whitelist also affects emails from foreign addresses to foreign addresses.

Could the script be changed to affect only local deliveries?


TIA,
Mike
 
You must log in or register to reply here.
Back
Top