Misuse of my domain.

Rick Cooper rcooper at DIMENSION-FLM.COM
Sun Nov 9 15:29:53 GMT 2003 

> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK]On
> Behalf Of Erik Jakobsen
> Sent: Sunday, November 09, 2003 9:49 AM
> To: MAILSCANNER at JISCMAIL.AC.UK
> Subject: Re: Misuse of my domain.
>
>
> Hi Rick. I'm sorry, but I need more information in details on
> what I can do.

Personally I would block mail from john/james @urbakken.dk at the MTA RCPT
level, not even allowing it to reach DATA. How you do that would depend upon
your MTA. If you don't have config access to the MTA then doing it in
MailScanner:

In your MailScanner.conf find the line: Is Definitely Spam =
and change it to: Is Definitely Spam = %rules-dir%/spam.blacklist.rules

Now create the file spam.blacklist.rules in your rules dir (normally
/opt/MailScanner/etc/rules) and it should look like:

   From:        john at urbakken.dk        yes
   From:        james at urbakken.dk       yes
   FromOrTo:    default                 no

Restart MailScanner and anything from john/james at urbakken.dk should be
handled as spam always. Again, if you do not have users named john or james
I am wondering how this mail is getting to the spam checks in the first
place... I noticed in your post with the header information the mails are
mime/multipart so I am betting they have photos.zip or readnow.zip and this
should be caught by the virus scanner anyway.

There is a very good list of usage of rule files found in
MailScanner/etc/rules/EXAMPLES you may want to look through

>
> Rick Cooper wrote:
> >>-----Original Message-----
> >>From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK]On
> >>Behalf Of Erik Jakobsen
> >>Sent: Sunday, November 09, 2003 6:58 AM
> >>To: MAILSCANNER at JISCMAIL.AC.UK
> >>Subject: Re: Misuse of my domain.
> >>
> >>
> >>Hi Peter. Here is the header from the culprit:
> >>
> >> From - Sun Nov  9 10:04:43 2003
> >>X-UIDL: H>*#!]Bd"!:4K!!bf4!!
> >>X-Mozilla-Status: 0001
> >>X-Mozilla-Status2: 00000000
> >>Received: from localhost [127.0.0.1] by lajka2
> >>        with SpamAssassin (2.55 1.174.2.19-2003-05-19-exp);
> >>        Sun, 09 Nov 2003 10:04:06 +0100
> >>From: john at urbakken.dk
> >>To: Erik <erik at urbakken.dk>
> >
> >
> > The important thing to note here is that mail from john at yourdomain or
> > james at yourdomain with an accompanying photos.zip/readnow.zip
> file is coming
> > from the Mimail.C/G worm, not someone misusing your domain
> name. Unless you
> > actually have users named john/james you should be blocking
> mail from both
> > totally.
>
> I do not have either of those names as users. And how to block
> the mails ?.
>
> >
> >>Date: Sun,  9 Nov 2003 09:35:38 +0100 (CET)
> >>Message-Id: <20031109083538.E8CEFC062 at fupA.post.tele.dk>
> >>X-Spam-Flag: YES
> >>X-Spam-Status: Yes, hits=5.2 required=5.0
> >>        tests=AWL,BAYES_90,NO_REAL_NAME
> >>        version=2.55
> >>X-Spam-Level: *****
> >>X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp)
> >>MIME-Version: 1.0
> >>Content-Type: multipart/mixed; boundary="----------=_3FAE0306.3C6CC969"
> >>X-UIDL: H>*#!]Bd"!:4K!!bf4!!
> >>
> >>This is a multi-part message in MIME format.
> >>
> >>------------=_3FAE0306.3C6CC969
> >>Content-Type: text/plain
> >>Content-Disposition: inline
> >>Content-Transfer-Encoding: 8bit
> >>
> >>This mail is probably spam.  The original message has been attached
> >>along with this report, so you can recognize or block similar unwanted
> >>mail in future.  See http://spamassassin.org/tag/ for more details.
> >>
> >>Content preview:  [...]
> >>
> >>Content analysis details:   (5.20 points, 5 required)
> >>NO_REAL_NAME       (1.1 points)  From: does not include a real name
> >>BAYES_90           (4.0 points)  BODY: Bayesian classifier says spam
> >>probability is 90 to 99%
> >>                    [score: 0.9897]
> >>AWL                (0.1 points)  AWL: Auto-whitelist adjustment
> >>
> >>
> >>
> >>------------=_3FAE0306.3C6CC969
> >>Content-Type: message/rfc822; x-spam-type=original
> >>Content-Description: original message before SpamAssassin
> >>Content-Disposition: inline
> >>Content-Transfer-Encoding: 8bit
> >>
> >>Return-Path: <john at urbakken.dk>
> >>X-Original-To: erik at localhost
> >>Delivered-To: erik at localhost.lajka2.local
> >>Received: from localhost (localhost [127.0.0.1])
> >>        by lajka2.local (Postfix) with ESMTP id 34954480F5
> >>        for <erik at localhost>; Sun,  9 Nov 2003 10:03:47 +0100 (CET)
> >>Delivered-To: erik at urbakken.dk
> >>Received: from urbakken.dk [192.168.1.1]
> >>        by localhost with POP3 (fetchmail-6.2.1)
> >>        for erik at localhost (single-drop); Sun, 09 Nov 2003
> >>10:03:47 +0100 (CET)
> >>Received: from fupA.post.tele.dk (fupA.post.tele.dk [195.41.53.68])
> >>        by gateway.urbakken.dk (Postfix) with ESMTP id 160D1AAB39
> >>        for <erik at urbakken.dk>; Sun,  9 Nov 2003 03:35:48 -0500 (EST)
> >>Received: from localhost (D40A6EA5.rev.stofanet.dk [212.10.110.165])
> >>        by fupA.post.tele.dk (Postfix) with SMTP id E8CEFC062
> >>        for <erik at urbakken.dk>; Sun,  9 Nov 2003 09:35:38 +0100 (CET)
> >>From: john at urbakken.dk
> >>To: Erik <erik at urbakken.dk>
> >>Reply-To: john at urbakken.dk
> >>Message-Id: <20031109083538.E8CEFC062 at fupA.post.tele.dk>
> >>Date: Sun,  9 Nov 2003 09:35:38 +0100 (CET)
> >>X-yoursite-MailScanner-Information: Please contact the ISP for more
> >>information
> >>X-yoursite-MailScanner: Found to be clean
> >>
> >>
> >>
> >>------------=_3FAE0306.3C6CC969--
> >>
> >>
> >>Peter Bonivart wrote:
> >>
> >>>Erik Jakobsen wrote:
> >>>
> >>>
> >>>>This is what I see, but I haven't seen the whole headers. What is the
> >>>>"envelope from address" ?.
> >>>
> >>>
> >>>Compare it to regular mail, you can write what you want on the paper
> >>>inside the envelope, it will still be delivered to the address on the
> >>>envelope. You can find the envelope information in your server logs.
> >>>
> >>>This is from a fresh spam of mine (some info edited out with x):
> >>>
> >>>Nov  9 12:17:28 kleenex sendmail[23204]: [ID 801593 mail.info]
> >>>hA9BHR7u023204: from=<bounce-fsd-459798 at blast1.myfree.com>, size=7298,
> >>>class=0, nrcpts=1,
> >>>msgid=<LYRIS-459798-1269238-2003.11.09-02.20.05--x at blast1.myfree.com>,
> >>>bodytype=8BITMIME, proto=ESMTP, daemon=MTA-v4, relay=x.x.x [x.x.x.x]
> >>>
> >>>Nov  9 12:17:29 kleenex MailScanner[15265]: Message hA9BHR7u023204 from
> >>>x.x.x.x (bounce-fsd-459798 at blast1.myfree.com) to x.x is spam,
> >>>SpamAssassin (score=10.901, required 5, BAYES_99 5.40,
> CLICK_BELOW 0.10,
> >>>HTML_60_70 0.11, HTML_FONTCOLOR_BLUE 0.10, HTML_FONTCOLOR_UNKNOWN 0.10,
> >>>HTML_FONTCOLOR_UNSAFE 0.10, HTML_FONT_BIG 0.27,
> HTML_IMAGE_ONLY_10 0.02,
> >>>HTML_IMAGE_RATIO_08 0.36, HTML_LINK_CLICK_HERE 0.10, HTML_MESSAGE 0.10,
> >>>MIME_HTML_ONLY 0.32, NO_COST 1.67, NO_REAL_NAME 0.16, SUB_FREE_OFFER
> >>>1.66, SUPPLIES_LIMITED 0.33)
> >>>
> >>>Look at the first line from Sendmail, it says it's from
> >>>bounce... at blast1.myfree.com, that's the envelope address and
> the one you
> >>>should block, note on the second line that MS logs that
> address too. Now
> >>>look at this:
> >>>
> >>>H??From: <MyFreeStuffDaily at MyFree.com>
> >>>
> >>>It's taken from my quarantine and is the header file (qf) for the same
> >>>message, that's what they want me to see in my mail client. It will not
> >>>help to block that address since it can be anything and has nothing to
> >>>do with the actual delivery of the message, it's common for spammers to
> >>>use the same for from and to.
> >>>
> >>>I hope that helps.
> >>>
> >>>/Peter Bonivart
> >>>
> >>>--Unix lovers do it in the Sun
> >>>
> >>>Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.23-11,
> >>>SpamAssassin 2.60 + DCC 1.2.9, ClamAV 20030829
> >>>
> >>>
> >>
> >>
> >>--
> >>Med venlig hilsen - Best regards.
> >>Erik Jakobsen - eja at urbakken.dk.
> >>Licensed radioamateur with the callsign OZ4KK.
> >>SuSE Linux 8.2 Proff.
> >>Registered as user #319488 with the Linux Counter,
http://counter.li.org.
>>
>
>
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
>


--
Med venlig hilsen - Best regards.
Erik Jakobsen - eja at urbakken.dk.
Licensed radioamateur with the callsign OZ4KK.
SuSE Linux 8.2 Proff.
Registered as user #319488 with the Linux Counter, http://counter.li.org.

--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.



--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the MailScanner mailing list