Filtering OutBound SPAM

Randal, Phil prandal at herefordshire.gov.uk
Wed Feb 4 15:31:25 GMT 2009


Whilst everything comes from the same IP (client's MTA), the Received
headers should have the infected box's IP address.
 
Give that/those a high score in spamassassin, and tell the client to
clean their infected PCs
 
Cheers,
 
Phil
-- 
Phil Randal | Networks Engineer 
Herefordshire Council | Deputy Chief Executive's Office | I.C.T.
Services Division 
Thorn Office Centre, Rotherwas, Hereford, HR2 6JT 
Tel: 01432 260160 
email: prandal at herefordshire.gov.uk 

Any opinion expressed in this e-mail or any attached files are those of
the individual and not necessarily those of Herefordshire Council.

This e-mail and any attached files are confidential and intended solely
for the use of the addressee. This communication may contain material
protected by law from being passed on. If you are not the intended
recipient and have received this e-mail in error, you are advised that
any use, dissemination, forwarding, printing or copying of this e-mail
is strictly prohibited. If you have received this e-mail in error please
contact the sender immediately and destroy all copies of it.

 

________________________________

From: mailscanner-bounces at lists.mailscanner.info
[mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Eduardo
Casarero
Sent: 04 February 2009 15:22
To: MailScanner discussion
Subject: OT: Filtering OutBound SPAM


Hi, i've a rare scenario with one of my customers and i though that
someone from here could give me some fresh(?) ideas.

My client has it's own MTA (wich i don't manage, neither have access to
logs, etc) and it sends all outbound traffic to my server that has
(MScanner, SA, clamav, dcc, pyzor, razor, some custom rules, etc).

The problem i've right now is that (i assume) some malware stole valid
user/passwords to authenticate in the smtp server of my client, so tons
of spam are trying to get out to internet through my server.

Althogh all anti-spam stuff seems to work, i need some new
countermeasures to stop this at MailScanner stage (i cant do anything at
MTA level because everything comes from the same ip).

Any idea?

something like my own checksum repository, or url blacklist, or header
authentication matching, etc.

Any help would be appreciated.

Eduardo.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090204/b65cc7b5/attachment.html


More information about the MailScanner mailing list