Filtering OutBound SPAM

Eduardo Casarero ecasarero at
Wed Feb 4 15:38:01 GMT 2009

2009/2/4 Randal, Phil <prandal at>

>  Whilst everything comes from the same IP (client's MTA), the Received
> headers should have the infected box's IP address.
> Give that/those a high score in spamassassin, and tell the client to clean
> their infected PCs

You mean mannually check headers? and then add a high score?

> Cheers,
> Phil
> --
> Phil Randal | Networks Engineer
> Herefordshire Council | Deputy Chief Executive's Office | I.C.T. Services
> Division
> Thorn Office Centre, Rotherwas, Hereford, HR2 6JT
> Tel: 01432 260160
> email: prandal at
> Any opinion expressed in this e-mail or any attached files are those of the
> individual and not necessarily those of Herefordshire Council.
> This e-mail and any attached files are confidential and intended solely for
> the use of the addressee. This communication may contain material protected
> by law from being passed on. If you are not the intended recipient and have
> received this e-mail in error, you are advised that any use, dissemination,
> forwarding, printing or copying of this e-mail is strictly prohibited. If
> you have received this e-mail in error please contact the sender immediately
> and destroy all copies of it.
>  ------------------------------
> *From:* mailscanner-bounces at [mailto:
> mailscanner-bounces at] *On Behalf Of *Eduardo
> Casarero
> *Sent:* 04 February 2009 15:22
> *To:* MailScanner discussion
> *Subject:* OT: Filtering OutBound SPAM
> Hi, i've a rare scenario with one of my customers and i though that someone
> from here could give me some fresh(?) ideas.
> My client has it's own MTA (wich i don't manage, neither have access to
> logs, etc) and it sends all outbound traffic to my server that has
> (MScanner, SA, clamav, dcc, pyzor, razor, some custom rules, etc).
> The problem i've right now is that (i assume) some malware stole valid
> user/passwords to authenticate in the smtp server of my client, so tons of
> spam are trying to get out to internet through my server.
> Althogh all anti-spam stuff seems to work, i need some new countermeasures
> to stop this at MailScanner stage (i cant do anything at MTA level because
> everything comes from the same ip).
> Any idea?
> something like my own checksum repository, or url blacklist, or header
> authentication matching, etc.
> Any help would be appreciated.
> Eduardo.
> --
> MailScanner mailing list
> mailscanner at
> Before posting, read
> Support MailScanner development - buy the book off the website!
-------------- next part --------------
An HTML attachment was scrubbed...

More information about the MailScanner mailing list