Misuse of my domain.
Ugo Bellavance
ugob at CAMO-ROUTE.COM
Sun Nov 9 16:46:01 GMT 2003
> >>Hi Rick. I'm sorry, but I need more information in details on
> >>what I can do.
> >
> >
> > Personally I would block mail from john/james @urbakken.dk
> at the MTA RCPT
> > level, not even allowing it to reach DATA. How you do that
> would depend upon
> > your MTA. If you don't have config access to the MTA then
> doing it in
> > MailScanner:
>
> I think I have access to MTA, but where do I set the blocking ?.
>
> > In your MailScanner.conf find the line: Is Definitely Spam =
> > and change it to: Is Definitely Spam =
> %rules-dir%/spam.blacklist.rules
>
> I just made the file spam.blacklist.rules.
I think you use it at home, so you should be ok like that. But I don't know either how to do block at the MTA RCPT, but I think it is not possible on postfix. Since I use sendmail, I am curious to see what people will reply to this :)
>
> > Now create the file spam.blacklist.rules in your rules dir (normally
> > /opt/MailScanner/etc/rules) and it should look like:
> >
> > From: john at urbakken.dk yes
> > From: james at urbakken.dk yes
> > FromOrTo: default no
>
> And I put in the above, and restarted it
>
> > Restart MailScanner and anything from
> john/james at urbakken.dk should be
> > handled as spam always. Again, if you do not have users
> named john or james
> > I am wondering how this mail is getting to the spam checks
> in the first
> > place... I noticed in your post with the header information
> the mails are
> > mime/multipart so I am betting they have photos.zip or
> readnow.zip and this
> > should be caught by the virus scanner anyway.
>
> But the fact is, that it doesn't do that. I use F-Prot and Amavis.
Are you sure F-prot is updated correctly?
Amavis + Mailscanner? Isn't it redundant? Are you sure your mail is even processed by mailscanner? I think you should do 2 things:
1- upgrade your software (especially spamassassin to 2.60)
2- try using only on program to filter your mail.
>
> > There is a very good list of usage of rule files found in
> > MailScanner/etc/rules/EXAMPLES you may want to look through
> >
>
> Thanks for that Rick. I'm just wondering why the set up of
> Spamassassin
> didn't made the spam.blacklist.rules.
>
> >>Rick Cooper wrote:
> >>
> >>>>-----Original Message-----
> >>>>From: MailScanner mailing list
> [mailto:MAILSCANNER at JISCMAIL.AC.UK]On
> >>>>Behalf Of Erik Jakobsen
> >>>>Sent: Sunday, November 09, 2003 6:58 AM
> >>>>To: MAILSCANNER at JISCMAIL.AC.UK
> >>>>Subject: Re: Misuse of my domain.
> >>>>
> >>>>
> >>>>Hi Peter. Here is the header from the culprit:
> >>>>
> >>>>From - Sun Nov 9 10:04:43 2003
> >>>>X-UIDL: H>*#!]Bd"!:4K!!bf4!!
> >>>>X-Mozilla-Status: 0001
> >>>>X-Mozilla-Status2: 00000000
> >>>>Received: from localhost [127.0.0.1] by lajka2
> >>>> with SpamAssassin (2.55 1.174.2.19-2003-05-19-exp);
> >>>> Sun, 09 Nov 2003 10:04:06 +0100
> >>>>From: john at urbakken.dk
> >>>>To: Erik <erik at urbakken.dk>
> >>>
> >>>
> >>>The important thing to note here is that mail from
> john at yourdomain or
> >>>james at yourdomain with an accompanying photos.zip/readnow.zip
> >>
> >>file is coming
> >>
> >>>from the Mimail.C/G worm, not someone misusing your domain
> >>
> >>name. Unless you
> >>
> >>>actually have users named john/james you should be blocking
> >>
> >>mail from both
> >>
> >>>totally.
> >>
> >>I do not have either of those names as users. And how to block
> >>the mails ?.
> >>
> >>
> >>>>Date: Sun, 9 Nov 2003 09:35:38 +0100 (CET)
> >>>>Message-Id: <20031109083538.E8CEFC062 at fupA.post.tele.dk>
> >>>>X-Spam-Flag: YES
> >>>>X-Spam-Status: Yes, hits=5.2 required=5.0
> >>>> tests=AWL,BAYES_90,NO_REAL_NAME
> >>>> version=2.55
> >>>>X-Spam-Level: *****
> >>>>X-Spam-Checker-Version: SpamAssassin 2.55
> (1.174.2.19-2003-05-19-exp)
> >>>>MIME-Version: 1.0
> >>>>Content-Type: multipart/mixed;
> boundary="----------=_3FAE0306.3C6CC969"
> >>>>X-UIDL: H>*#!]Bd"!:4K!!bf4!!
> >>>>
> >>>>This is a multi-part message in MIME format.
> >>>>
> >>>>------------=_3FAE0306.3C6CC969
> >>>>Content-Type: text/plain
> >>>>Content-Disposition: inline
> >>>>Content-Transfer-Encoding: 8bit
> >>>>
> >>>>This mail is probably spam. The original message has
> been attached
> >>>>along with this report, so you can recognize or block
> similar unwanted
> >>>>mail in future. See http://spamassassin.org/tag/ for
> more details.
> >>>>
> >>>>Content preview: [...]
> >>>>
> >>>>Content analysis details: (5.20 points, 5 required)
> >>>>NO_REAL_NAME (1.1 points) From: does not include a
> real name
> >>>>BAYES_90 (4.0 points) BODY: Bayesian
> classifier says spam
> >>>>probability is 90 to 99%
> >>>> [score: 0.9897]
> >>>>AWL (0.1 points) AWL: Auto-whitelist adjustment
> >>>>
> >>>>
> >>>>
> >>>>------------=_3FAE0306.3C6CC969
> >>>>Content-Type: message/rfc822; x-spam-type=original
> >>>>Content-Description: original message before SpamAssassin
> >>>>Content-Disposition: inline
> >>>>Content-Transfer-Encoding: 8bit
> >>>>
> >>>>Return-Path: <john at urbakken.dk>
> >>>>X-Original-To: erik at localhost
> >>>>Delivered-To: erik at localhost.lajka2.local
> >>>>Received: from localhost (localhost [127.0.0.1])
> >>>> by lajka2.local (Postfix) with ESMTP id 34954480F5
> >>>> for <erik at localhost>; Sun, 9 Nov 2003 10:03:47 +0100 (CET)
> >>>>Delivered-To: erik at urbakken.dk
> >>>>Received: from urbakken.dk [192.168.1.1]
> >>>> by localhost with POP3 (fetchmail-6.2.1)
> >>>> for erik at localhost (single-drop); Sun, 09 Nov 2003
> >>>>10:03:47 +0100 (CET)
> >>>>Received: from fupA.post.tele.dk (fupA.post.tele.dk
> [195.41.53.68])
> >>>> by gateway.urbakken.dk (Postfix) with ESMTP id 160D1AAB39
> >>>> for <erik at urbakken.dk>; Sun, 9 Nov 2003 03:35:48
> -0500 (EST)
> >>>>Received: from localhost (D40A6EA5.rev.stofanet.dk
> [212.10.110.165])
> >>>> by fupA.post.tele.dk (Postfix) with SMTP id E8CEFC062
> >>>> for <erik at urbakken.dk>; Sun, 9 Nov 2003 09:35:38
> +0100 (CET)
> >>>>From: john at urbakken.dk
> >>>>To: Erik <erik at urbakken.dk>
> >>>>Reply-To: john at urbakken.dk
> >>>>Message-Id: <20031109083538.E8CEFC062 at fupA.post.tele.dk>
> >>>>Date: Sun, 9 Nov 2003 09:35:38 +0100 (CET)
> >>>>X-yoursite-MailScanner-Information: Please contact the
> ISP for more
> >>>>information
> >>>>X-yoursite-MailScanner: Found to be clean
> >>>>
> >>>>
> >>>>
> >>>>------------=_3FAE0306.3C6CC969--
> >>>>
> >>>>
> >>>>Peter Bonivart wrote:
> >>>>
> >>>>
> >>>>>Erik Jakobsen wrote:
> >>>>>
> >>>>>
> >>>>>
> >>>>>>This is what I see, but I haven't seen the whole
> headers. What is the
> >>>>>>"envelope from address" ?.
> >>>>>
> >>>>>
> >>>>>Compare it to regular mail, you can write what you want
> on the paper
> >>>>>inside the envelope, it will still be delivered to the
> address on the
> >>>>>envelope. You can find the envelope information in your
> server logs.
> >>>>>
> >>>>>This is from a fresh spam of mine (some info edited out with x):
> >>>>>
> >>>>>Nov 9 12:17:28 kleenex sendmail[23204]: [ID 801593 mail.info]
> >>>>>hA9BHR7u023204:
> from=<bounce-fsd-459798 at blast1.myfree.com>, size=7298,
> >>>>>class=0, nrcpts=1,
> >>>>>msgid=<LYRIS-459798-1269238-2003.11.09-02.20.05--x at blast1
> .myfree.com>,
> >>>>>bodytype=8BITMIME, proto=ESMTP, daemon=MTA-v4,
> relay=x.x.x [x.x.x.x]
> >>>>>
> >>>>>Nov 9 12:17:29 kleenex MailScanner[15265]: Message
> hA9BHR7u023204 from
> >>>>>x.x.x.x (bounce-fsd-459798 at blast1.myfree.com) to x.x is spam,
> >>>>>SpamAssassin (score=10.901, required 5, BAYES_99 5.40,
> >>
> >>CLICK_BELOW 0.10,
> >>
> >>>>>HTML_60_70 0.11, HTML_FONTCOLOR_BLUE 0.10,
> HTML_FONTCOLOR_UNKNOWN 0.10,
> >>>>>HTML_FONTCOLOR_UNSAFE 0.10, HTML_FONT_BIG 0.27,
> >>
> >>HTML_IMAGE_ONLY_10 0.02,
> >>
> >>>>>HTML_IMAGE_RATIO_08 0.36, HTML_LINK_CLICK_HERE 0.10,
> HTML_MESSAGE 0.10,
> >>>>>MIME_HTML_ONLY 0.32, NO_COST 1.67, NO_REAL_NAME 0.16,
> SUB_FREE_OFFER
> >>>>>1.66, SUPPLIES_LIMITED 0.33)
> >>>>>
> >>>>>Look at the first line from Sendmail, it says it's from
> >>>>>bounce... at blast1.myfree.com, that's the envelope address and
> >>
> >>the one you
> >>
> >>>>>should block, note on the second line that MS logs that
> >>
> >>address too. Now
> >>
> >>>>>look at this:
> >>>>>
> >>>>>H??From: <MyFreeStuffDaily at MyFree.com>
> >>>>>
> >>>>>It's taken from my quarantine and is the header file
> (qf) for the same
> >>>>>message, that's what they want me to see in my mail
> client. It will not
> >>>>>help to block that address since it can be anything and
> has nothing to
> >>>>>do with the actual delivery of the message, it's common
> for spammers to
> >>>>>use the same for from and to.
> >>>>>
> >>>>>I hope that helps.
> >>>>>
> >>>>>/Peter Bonivart
> >>>>>
> >>>>>--Unix lovers do it in the Sun
> >>>>>
> >>>>>Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.23-11,
> >>>>>SpamAssassin 2.60 + DCC 1.2.9, ClamAV 20030829
> >>>>>
> >>>>>
> >>>>
> >>>>
> >>>>--
> >>>>Med venlig hilsen - Best regards.
> >>>>Erik Jakobsen - eja at urbakken.dk.
> >>>>Licensed radioamateur with the callsign OZ4KK.
> >>>>SuSE Linux 8.2 Proff.
> >>>>Registered as user #319488 with the Linux Counter,
> >
> > http://counter.li.org.
> >
> >>
> >>
> >>--
> >>This message has been scanned for viruses and
> >>dangerous content by MailScanner, and is
> >>believed to be clean.
> >>
> >>
> >
> >
> >
> > --
> > Med venlig hilsen - Best regards.
> > Erik Jakobsen - eja at urbakken.dk.
> > Licensed radioamateur with the callsign OZ4KK.
> > SuSE Linux 8.2 Proff.
> > Registered as user #319488 with the Linux Counter,
http://counter.li.org.
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
>
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
>
--
Med venlig hilsen - Best regards.
Erik Jakobsen - eja at urbakken.dk.
Licensed radioamateur with the callsign OZ4KK.
SuSE Linux 8.2 Proff.
Registered as user #319488 with the Linux Counter, http://counter.li.org.
More information about the MailScanner
mailing list