Misuse of my domain.
Erik Jakobsen
eja at URBAKKEN.DK
Sun Nov 9 15:46:09 GMT 2003
Rick Cooper wrote:
>>-----Original Message-----
>>From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK]On
>>Behalf Of Erik Jakobsen
>>Sent: Sunday, November 09, 2003 9:49 AM
>>To: MAILSCANNER at JISCMAIL.AC.UK
>>Subject: Re: Misuse of my domain.
>>
>>
>>Hi Rick. I'm sorry, but I need more information in details on
>>what I can do.
>
>
> Personally I would block mail from john/james @urbakken.dk at the MTA RCPT
> level, not even allowing it to reach DATA. How you do that would depend upon
> your MTA. If you don't have config access to the MTA then doing it in
> MailScanner:
I think I have access to MTA, but where do I set the blocking ?.
> In your MailScanner.conf find the line: Is Definitely Spam =
> and change it to: Is Definitely Spam = %rules-dir%/spam.blacklist.rules
I just made the file spam.blacklist.rules.
> Now create the file spam.blacklist.rules in your rules dir (normally
> /opt/MailScanner/etc/rules) and it should look like:
>
> From: john at urbakken.dk yes
> From: james at urbakken.dk yes
> FromOrTo: default no
And I put in the above, and restarted it
> Restart MailScanner and anything from john/james at urbakken.dk should be
> handled as spam always. Again, if you do not have users named john or james
> I am wondering how this mail is getting to the spam checks in the first
> place... I noticed in your post with the header information the mails are
> mime/multipart so I am betting they have photos.zip or readnow.zip and this
> should be caught by the virus scanner anyway.
But the fact is, that it doesn't do that. I use F-Prot and Amavis.
> There is a very good list of usage of rule files found in
> MailScanner/etc/rules/EXAMPLES you may want to look through
>
Thanks for that Rick. I'm just wondering why the set up of Spamassassin
didn't made the spam.blacklist.rules.
>>Rick Cooper wrote:
>>
>>>>-----Original Message-----
>>>>From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK]On
>>>>Behalf Of Erik Jakobsen
>>>>Sent: Sunday, November 09, 2003 6:58 AM
>>>>To: MAILSCANNER at JISCMAIL.AC.UK
>>>>Subject: Re: Misuse of my domain.
>>>>
>>>>
>>>>Hi Peter. Here is the header from the culprit:
>>>>
>>>>From - Sun Nov 9 10:04:43 2003
>>>>X-UIDL: H>*#!]Bd"!:4K!!bf4!!
>>>>X-Mozilla-Status: 0001
>>>>X-Mozilla-Status2: 00000000
>>>>Received: from localhost [127.0.0.1] by lajka2
>>>> with SpamAssassin (2.55 1.174.2.19-2003-05-19-exp);
>>>> Sun, 09 Nov 2003 10:04:06 +0100
>>>>From: john at urbakken.dk
>>>>To: Erik <erik at urbakken.dk>
>>>
>>>
>>>The important thing to note here is that mail from john at yourdomain or
>>>james at yourdomain with an accompanying photos.zip/readnow.zip
>>
>>file is coming
>>
>>>from the Mimail.C/G worm, not someone misusing your domain
>>
>>name. Unless you
>>
>>>actually have users named john/james you should be blocking
>>
>>mail from both
>>
>>>totally.
>>
>>I do not have either of those names as users. And how to block
>>the mails ?.
>>
>>
>>>>Date: Sun, 9 Nov 2003 09:35:38 +0100 (CET)
>>>>Message-Id: <20031109083538.E8CEFC062 at fupA.post.tele.dk>
>>>>X-Spam-Flag: YES
>>>>X-Spam-Status: Yes, hits=5.2 required=5.0
>>>> tests=AWL,BAYES_90,NO_REAL_NAME
>>>> version=2.55
>>>>X-Spam-Level: *****
>>>>X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp)
>>>>MIME-Version: 1.0
>>>>Content-Type: multipart/mixed; boundary="----------=_3FAE0306.3C6CC969"
>>>>X-UIDL: H>*#!]Bd"!:4K!!bf4!!
>>>>
>>>>This is a multi-part message in MIME format.
>>>>
>>>>------------=_3FAE0306.3C6CC969
>>>>Content-Type: text/plain
>>>>Content-Disposition: inline
>>>>Content-Transfer-Encoding: 8bit
>>>>
>>>>This mail is probably spam. The original message has been attached
>>>>along with this report, so you can recognize or block similar unwanted
>>>>mail in future. See http://spamassassin.org/tag/ for more details.
>>>>
>>>>Content preview: [...]
>>>>
>>>>Content analysis details: (5.20 points, 5 required)
>>>>NO_REAL_NAME (1.1 points) From: does not include a real name
>>>>BAYES_90 (4.0 points) BODY: Bayesian classifier says spam
>>>>probability is 90 to 99%
>>>> [score: 0.9897]
>>>>AWL (0.1 points) AWL: Auto-whitelist adjustment
>>>>
>>>>
>>>>
>>>>------------=_3FAE0306.3C6CC969
>>>>Content-Type: message/rfc822; x-spam-type=original
>>>>Content-Description: original message before SpamAssassin
>>>>Content-Disposition: inline
>>>>Content-Transfer-Encoding: 8bit
>>>>
>>>>Return-Path: <john at urbakken.dk>
>>>>X-Original-To: erik at localhost
>>>>Delivered-To: erik at localhost.lajka2.local
>>>>Received: from localhost (localhost [127.0.0.1])
>>>> by lajka2.local (Postfix) with ESMTP id 34954480F5
>>>> for <erik at localhost>; Sun, 9 Nov 2003 10:03:47 +0100 (CET)
>>>>Delivered-To: erik at urbakken.dk
>>>>Received: from urbakken.dk [192.168.1.1]
>>>> by localhost with POP3 (fetchmail-6.2.1)
>>>> for erik at localhost (single-drop); Sun, 09 Nov 2003
>>>>10:03:47 +0100 (CET)
>>>>Received: from fupA.post.tele.dk (fupA.post.tele.dk [195.41.53.68])
>>>> by gateway.urbakken.dk (Postfix) with ESMTP id 160D1AAB39
>>>> for <erik at urbakken.dk>; Sun, 9 Nov 2003 03:35:48 -0500 (EST)
>>>>Received: from localhost (D40A6EA5.rev.stofanet.dk [212.10.110.165])
>>>> by fupA.post.tele.dk (Postfix) with SMTP id E8CEFC062
>>>> for <erik at urbakken.dk>; Sun, 9 Nov 2003 09:35:38 +0100 (CET)
>>>>From: john at urbakken.dk
>>>>To: Erik <erik at urbakken.dk>
>>>>Reply-To: john at urbakken.dk
>>>>Message-Id: <20031109083538.E8CEFC062 at fupA.post.tele.dk>
>>>>Date: Sun, 9 Nov 2003 09:35:38 +0100 (CET)
>>>>X-yoursite-MailScanner-Information: Please contact the ISP for more
>>>>information
>>>>X-yoursite-MailScanner: Found to be clean
>>>>
>>>>
>>>>
>>>>------------=_3FAE0306.3C6CC969--
>>>>
>>>>
>>>>Peter Bonivart wrote:
>>>>
>>>>
>>>>>Erik Jakobsen wrote:
>>>>>
>>>>>
>>>>>
>>>>>>This is what I see, but I haven't seen the whole headers. What is the
>>>>>>"envelope from address" ?.
>>>>>
>>>>>
>>>>>Compare it to regular mail, you can write what you want on the paper
>>>>>inside the envelope, it will still be delivered to the address on the
>>>>>envelope. You can find the envelope information in your server logs.
>>>>>
>>>>>This is from a fresh spam of mine (some info edited out with x):
>>>>>
>>>>>Nov 9 12:17:28 kleenex sendmail[23204]: [ID 801593 mail.info]
>>>>>hA9BHR7u023204: from=<bounce-fsd-459798 at blast1.myfree.com>, size=7298,
>>>>>class=0, nrcpts=1,
>>>>>msgid=<LYRIS-459798-1269238-2003.11.09-02.20.05--x at blast1.myfree.com>,
>>>>>bodytype=8BITMIME, proto=ESMTP, daemon=MTA-v4, relay=x.x.x [x.x.x.x]
>>>>>
>>>>>Nov 9 12:17:29 kleenex MailScanner[15265]: Message hA9BHR7u023204 from
>>>>>x.x.x.x (bounce-fsd-459798 at blast1.myfree.com) to x.x is spam,
>>>>>SpamAssassin (score=10.901, required 5, BAYES_99 5.40,
>>
>>CLICK_BELOW 0.10,
>>
>>>>>HTML_60_70 0.11, HTML_FONTCOLOR_BLUE 0.10, HTML_FONTCOLOR_UNKNOWN 0.10,
>>>>>HTML_FONTCOLOR_UNSAFE 0.10, HTML_FONT_BIG 0.27,
>>
>>HTML_IMAGE_ONLY_10 0.02,
>>
>>>>>HTML_IMAGE_RATIO_08 0.36, HTML_LINK_CLICK_HERE 0.10, HTML_MESSAGE 0.10,
>>>>>MIME_HTML_ONLY 0.32, NO_COST 1.67, NO_REAL_NAME 0.16, SUB_FREE_OFFER
>>>>>1.66, SUPPLIES_LIMITED 0.33)
>>>>>
>>>>>Look at the first line from Sendmail, it says it's from
>>>>>bounce... at blast1.myfree.com, that's the envelope address and
>>
>>the one you
>>
>>>>>should block, note on the second line that MS logs that
>>
>>address too. Now
>>
>>>>>look at this:
>>>>>
>>>>>H??From: <MyFreeStuffDaily at MyFree.com>
>>>>>
>>>>>It's taken from my quarantine and is the header file (qf) for the same
>>>>>message, that's what they want me to see in my mail client. It will not
>>>>>help to block that address since it can be anything and has nothing to
>>>>>do with the actual delivery of the message, it's common for spammers to
>>>>>use the same for from and to.
>>>>>
>>>>>I hope that helps.
>>>>>
>>>>>/Peter Bonivart
>>>>>
>>>>>--Unix lovers do it in the Sun
>>>>>
>>>>>Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.23-11,
>>>>>SpamAssassin 2.60 + DCC 1.2.9, ClamAV 20030829
>>>>>
>>>>>
>>>>
>>>>
>>>>--
>>>>Med venlig hilsen - Best regards.
>>>>Erik Jakobsen - eja at urbakken.dk.
>>>>Licensed radioamateur with the callsign OZ4KK.
>>>>SuSE Linux 8.2 Proff.
>>>>Registered as user #319488 with the Linux Counter,
>
> http://counter.li.org.
>
>>
>>
>>--
>>This message has been scanned for viruses and
>>dangerous content by MailScanner, and is
>>believed to be clean.
>>
>>
>
>
>
> --
> Med venlig hilsen - Best regards.
> Erik Jakobsen - eja at urbakken.dk.
> Licensed radioamateur with the callsign OZ4KK.
> SuSE Linux 8.2 Proff.
> Registered as user #319488 with the Linux Counter, http://counter.li.org.
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
>
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
>
--
Med venlig hilsen - Best regards.
Erik Jakobsen - eja at urbakken.dk.
Licensed radioamateur with the callsign OZ4KK.
SuSE Linux 8.2 Proff.
Registered as user #319488 with the Linux Counter, http://counter.li.org.
More information about the MailScanner
mailing list