Misuse of my domain.
S Mohan
smohan at vsnl.com
Mon Nov 10 03:51:34 GMT 2003
In sendmail, setting the email id to reject in /etc/mail/access and
restarting mailscanner would do the job.
Warm regards
Mohan
On Sunday, November 09, 2003 10:16 PM Ugo Bellavance <> wrote:
:::: Hi Rick. I'm sorry, but I need more information in details on what
:::: I can do.
:::
:::
::: Personally I would block mail from john/james @urbakken.dk at the
::: MTA RCPT level, not even allowing it to reach DATA. How you do that
::: would depend upon your MTA. If you don't have config access to the
::: MTA then doing it in MailScanner:
::
:: I think I have access to MTA, but where do I set the blocking ?.
::
::: In your MailScanner.conf find the line: Is Definitely Spam = and
::: change it to: Is Definitely Spam =
:: %rules-dir%/spam.blacklist.rules
::
:: I just made the file spam.blacklist.rules.
:
: I think you use it at home, so you should be ok like that. But I
: don't know either how to do block at the MTA RCPT, but I think it is
: not possible on postfix. Since I use sendmail, I am curious to see
: what people will reply to this :)
:
::
::: Now create the file spam.blacklist.rules in your rules dir (normally
::: /opt/MailScanner/etc/rules) and it should look like:
:::
::: From: john at urbakken.dk yes
::: From: james at urbakken.dk yes
::: FromOrTo: default no
::
:: And I put in the above, and restarted it
::
::: Restart MailScanner and anything from
:: john/james at urbakken.dk should be
::: handled as spam always. Again, if you do not have users named john
::: or james I am wondering how this mail is getting to the spam checks
::: in the first place... I noticed in your post with the header
::: information the mails are mime/multipart so I am betting they have
::: photos.zip or readnow.zip and this should be caught by the virus
::: scanner anyway.
::
:: But the fact is, that it doesn't do that. I use F-Prot and Amavis.
:
: Are you sure F-prot is updated correctly?
:
: Amavis + Mailscanner? Isn't it redundant? Are you sure your mail is
: even processed by mailscanner? I think you should do 2 things:
:
: 1- upgrade your software (especially spamassassin to 2.60)
: 2- try using only on program to filter your mail.
:
::
::: There is a very good list of usage of rule files found in
::: MailScanner/etc/rules/EXAMPLES you may want to look through
:::
::
:: Thanks for that Rick. I'm just wondering why the set up of
:: Spamassassin didn't made the spam.blacklist.rules.
::
:::: Rick Cooper wrote:
::::
:::::: -----Original Message-----
:::::: From: MailScanner mailing list
:: [mailto:MAILSCANNER at JISCMAIL.AC.UK]On
:::::: Behalf Of Erik Jakobsen
:::::: Sent: Sunday, November 09, 2003 6:58 AM
:::::: To: MAILSCANNER at JISCMAIL.AC.UK
:::::: Subject: Re: Misuse of my domain.
::::::
::::::
:::::: Hi Peter. Here is the header from the culprit:
::::::
:::::: From - Sun Nov 9 10:04:43 2003
:::::: X-UIDL: H>*#!]Bd"!:4K!!bf4!!
:::::: X-Mozilla-Status: 0001
:::::: X-Mozilla-Status2: 00000000
:::::: Received: from localhost [127.0.0.1] by lajka2
:::::: with SpamAssassin (2.55 1.174.2.19-2003-05-19-exp);
:::::: Sun, 09 Nov 2003 10:04:06 +0100
:::::: From: john at urbakken.dk
:::::: To: Erik <erik at urbakken.dk>
:::::
:::::
::::: The important thing to note here is that mail from
::::: john at yourdomain or james at yourdomain with an accompanying
::::: photos.zip/readnow.zip
::::
:::: file is coming
::::
::::: from the Mimail.C/G worm, not someone misusing your domain
::::
:::: name. Unless you
::::
::::: actually have users named john/james you should be blocking
::::
:::: mail from both
::::
::::: totally.
::::
:::: I do not have either of those names as users. And how to block the
:::: mails ?.
::::
::::
:::::: Date: Sun, 9 Nov 2003 09:35:38 +0100 (CET)
:::::: Message-Id: <20031109083538.E8CEFC062 at fupA.post.tele.dk>
:::::: X-Spam-Flag: YES X-Spam-Status: Yes, hits=5.2 required=5.0
:::::: tests=AWL,BAYES_90,NO_REAL_NAME
:::::: version=2.55
:::::: X-Spam-Level: *****
:::::: X-Spam-Checker-Version: SpamAssassin 2.55
:::::: (1.174.2.19-2003-05-19-exp) MIME-Version: 1.0 Content-Type:
:::::: multipart/mixed;
:: boundary="----------=_3FAE0306.3C6CC969"
:::::: X-UIDL: H>*#!]Bd"!:4K!!bf4!!
::::::
:::::: This is a multi-part message in MIME format.
::::::
:::::: ------------=_3FAE0306.3C6CC969
:::::: Content-Type: text/plain
:::::: Content-Disposition: inline
:::::: Content-Transfer-Encoding: 8bit
::::::
:::::: This mail is probably spam. The original message has been
:::::: attached along with this report, so you can recognize or block
:::::: similar unwanted mail in future. See
:::::: http://spamassassin.org/tag/ for more details.
::::::
:::::: Content preview: [...]
::::::
:::::: Content analysis details: (5.20 points, 5 required)
:::::: NO_REAL_NAME (1.1 points) From: does not include a real
:::::: name BAYES_90 (4.0 points) BODY: Bayesian classifier
:::::: says spam probability is 90 to 99% [score:
:::::: 0.9897]
:::::: AWL (0.1 points) AWL: Auto-whitelist adjustment
::::::
::::::
::::::
:::::: ------------=_3FAE0306.3C6CC969
:::::: Content-Type: message/rfc822; x-spam-type=original
:::::: Content-Description: original message before SpamAssassin
:::::: Content-Disposition: inline Content-Transfer-Encoding: 8bit
::::::
:::::: Return-Path: <john at urbakken.dk>
:::::: X-Original-To: erik at localhost
:::::: Delivered-To: erik at localhost.lajka2.local
:::::: Received: from localhost (localhost [127.0.0.1])
:::::: by lajka2.local (Postfix) with ESMTP id 34954480F5
:::::: for <erik at localhost>; Sun, 9 Nov 2003 10:03:47 +0100 (CET)
:::::: Delivered-To: erik at urbakken.dk
:::::: Received: from urbakken.dk [192.168.1.1]
:::::: by localhost with POP3 (fetchmail-6.2.1)
:::::: for erik at localhost (single-drop); Sun, 09 Nov 2003
:::::: 10:03:47 +0100 (CET) Received: from fupA.post.tele.dk
:::::: (fupA.post.tele.dk [195.41.53.68]) by gateway.urbakken.dk
:::::: (Postfix) with ESMTP id 160D1AAB39 for <erik at urbakken.dk>;
:::::: Sun, 9 Nov 2003 03:35:48 -0500 (EST) Received: from localhost
:::::: (D40A6EA5.rev.stofanet.dk [212.10.110.165]) by
:::::: fupA.post.tele.dk (Postfix) with SMTP id E8CEFC062 for
:::::: <erik at urbakken.dk>; Sun, 9 Nov 2003 09:35:38 +0100 (CET) From:
:::::: john at urbakken.dk To: Erik <erik at urbakken.dk>
:::::: Reply-To: john at urbakken.dk
:::::: Message-Id: <20031109083538.E8CEFC062 at fupA.post.tele.dk>
:::::: Date: Sun, 9 Nov 2003 09:35:38 +0100 (CET)
:::::: X-yoursite-MailScanner-Information: Please contact the ISP for
:::::: more information X-yoursite-MailScanner: Found to be clean
::::::
::::::
::::::
:::::: ------------=_3FAE0306.3C6CC969--
::::::
::::::
:::::: Peter Bonivart wrote:
::::::
::::::
::::::: Erik Jakobsen wrote:
:::::::
:::::::
:::::::
:::::::: This is what I see, but I haven't seen the whole headers. What
:::::::: is the "envelope from address" ?.
:::::::
:::::::
::::::: Compare it to regular mail, you can write what you want on the
::::::: paper inside the envelope, it will still be delivered to the
::::::: address on the envelope. You can find the envelope information
::::::: in your server logs.
:::::::
::::::: This is from a fresh spam of mine (some info edited out with x):
:::::::
::::::: Nov 9 12:17:28 kleenex sendmail[23204]: [ID 801593 mail.info]
::::::: hA9BHR7u023204:
:: from=<bounce-fsd-459798 at blast1.myfree.com>, size=7298,
::::::: class=0, nrcpts=1,
::::::: msgid=<LYRIS-459798-1269238-2003.11.09-02.20.05--x at blast1
::::::: .myfree.com>, bodytype=8BITMIME, proto=ESMTP, daemon=MTA-v4,
::::::: relay=x.x.x [x.x.x.x]
:::::::
::::::: Nov 9 12:17:29 kleenex MailScanner[15265]: Message
::::::: hA9BHR7u023204 from x.x.x.x
::::::: (bounce-fsd-459798 at blast1.myfree.com) to x.x is spam,
::::::: SpamAssassin (score=10.901, required 5, BAYES_99 5.40,
::::
:::: CLICK_BELOW 0.10,
::::
::::::: HTML_60_70 0.11, HTML_FONTCOLOR_BLUE 0.10,
::::::: HTML_FONTCOLOR_UNKNOWN 0.10, HTML_FONTCOLOR_UNSAFE 0.10,
::::::: HTML_FONT_BIG 0.27,
::::
:::: HTML_IMAGE_ONLY_10 0.02,
::::
::::::: HTML_IMAGE_RATIO_08 0.36, HTML_LINK_CLICK_HERE 0.10,
::::::: HTML_MESSAGE 0.10, MIME_HTML_ONLY 0.32, NO_COST 1.67,
::::::: NO_REAL_NAME 0.16, SUB_FREE_OFFER
::::::: 1.66, SUPPLIES_LIMITED 0.33)
:::::::
::::::: Look at the first line from Sendmail, it says it's from
::::::: bounce... at blast1.myfree.com, that's the envelope address and
::::
:::: the one you
::::
::::::: should block, note on the second line that MS logs that
::::
:::: address too. Now
::::
::::::: look at this:
:::::::
::::::: H??From: <MyFreeStuffDaily at MyFree.com>
:::::::
::::::: It's taken from my quarantine and is the header file (qf) for
::::::: the same message, that's what they want me to see in my mail
::::::: client. It will not help to block that address since it can be
::::::: anything and has nothing to do with the actual delivery of the
::::::: message, it's common for spammers to use the same for from and
::::::: to.
:::::::
::::::: I hope that helps.
:::::::
::::::: /Peter Bonivart
:::::::
::::::: --Unix lovers do it in the Sun
:::::::
::::::: Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.23-11,
::::::: SpamAssassin 2.60 + DCC 1.2.9, ClamAV 20030829
:::::::
:::::::
::::::
::::::
:::::: --
:::::: Med venlig hilsen - Best regards.
:::::: Erik Jakobsen - eja at urbakken.dk.
:::::: Licensed radioamateur with the callsign OZ4KK.
:::::: SuSE Linux 8.2 Proff.
:::::: Registered as user #319488 with the Linux Counter,
:::
::: http://counter.li.org.
:::
::::
::::
:::: --
:::: This message has been scanned for viruses and
:::: dangerous content by MailScanner, and is
:::: believed to be clean.
::::
::::
:::
:::
:::
::: --
::: Med venlig hilsen - Best regards.
::: Erik Jakobsen - eja at urbakken.dk.
::: Licensed radioamateur with the callsign OZ4KK.
::: SuSE Linux 8.2 Proff.
::: Registered as user #319488 with the Linux Counter,
::: http://counter.li.org.
::
:: --
:: This message has been scanned for viruses and
:: dangerous content by MailScanner, and is
:: believed to be clean.
::
::
::
:: --
:: This message has been scanned for viruses and
:: dangerous content by MailScanner, and is
:: believed to be clean.
More information about the MailScanner
mailing list