Filtering OutBound SPAM

Randal, Phil prandal at herefordshire.gov.uk
Wed Feb 4 15:51:20 GMT 2009


Well, on some of them...  With a bit of luck, it'll only be a few
infected boxes.
 
You'd need a meta rule in SA and two "Received" matches - the IP of
client's MTA and infected PC's internal IP.
 
Cheers,
 
Phil
 

-- 
Phil Randal | Networks Engineer 
Herefordshire Council | Deputy Chief Executive's Office | I.C.T.
Services Division 
Thorn Office Centre, Rotherwas, Hereford, HR2 6JT 
Tel: 01432 260160 
email: prandal at herefordshire.gov.uk 

Any opinion expressed in this e-mail or any attached files are those of
the individual and not necessarily those of Herefordshire Council.

This e-mail and any attached files are confidential and intended solely
for the use of the addressee. This communication may contain material
protected by law from being passed on. If you are not the intended
recipient and have received this e-mail in error, you are advised that
any use, dissemination, forwarding, printing or copying of this e-mail
is strictly prohibited. If you have received this e-mail in error please
contact the sender immediately and destroy all copies of it.

 

________________________________

From: mailscanner-bounces at lists.mailscanner.info
[mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Eduardo
Casarero
Sent: 04 February 2009 15:38
To: MailScanner discussion
Subject: Re: Filtering OutBound SPAM




2009/2/4 Randal, Phil <prandal at herefordshire.gov.uk>


	Whilst everything comes from the same IP (client's MTA), the
Received headers should have the infected box's IP address.
	 
	Give that/those a high score in spamassassin, and tell the
client to clean their infected PCs
	 


You mean mannually check headers? and then add a high score?
 

	Cheers,
	 
	Phil
	-- 
	Phil Randal | Networks Engineer 
	Herefordshire Council | Deputy Chief Executive's Office | I.C.T.
Services Division 
	Thorn Office Centre, Rotherwas, Hereford, HR2 6JT 
	Tel: 01432 260160 
	email: prandal at herefordshire.gov.uk 

	Any opinion expressed in this e-mail or any attached files are
those of the individual and not necessarily those of Herefordshire
Council.

	This e-mail and any attached files are confidential and intended
solely for the use of the addressee. This communication may contain
material protected by law from being passed on. If you are not the
intended recipient and have received this e-mail in error, you are
advised that any use, dissemination, forwarding, printing or copying of
this e-mail is strictly prohibited. If you have received this e-mail in
error please contact the sender immediately and destroy all copies of
it.

	 

________________________________

	From: mailscanner-bounces at lists.mailscanner.info
[mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Eduardo
Casarero
	Sent: 04 February 2009 15:22
	To: MailScanner discussion
	Subject: OT: Filtering OutBound SPAM
	
	
	Hi, i've a rare scenario with one of my customers and i though
that someone from here could give me some fresh(?) ideas.
	
	My client has it's own MTA (wich i don't manage, neither have
access to logs, etc) and it sends all outbound traffic to my server that
has (MScanner, SA, clamav, dcc, pyzor, razor, some custom rules, etc).
	
	The problem i've right now is that (i assume) some malware stole
valid user/passwords to authenticate in the smtp server of my client, so
tons of spam are trying to get out to internet through my server.
	
	Althogh all anti-spam stuff seems to work, i need some new
countermeasures to stop this at MailScanner stage (i cant do anything at
MTA level because everything comes from the same ip).
	
	Any idea?
	
	something like my own checksum repository, or url blacklist, or
header authentication matching, etc.
	
	Any help would be appreciated.
	
	Eduardo.
	

	--
	MailScanner mailing list
	mailscanner at lists.mailscanner.info
	http://lists.mailscanner.info/mailman/listinfo/mailscanner
	
	Before posting, read http://wiki.mailscanner.info/posting
	
	Support MailScanner development - buy the book off the website!
	
	


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090204/a39983df/attachment.html


More information about the MailScanner mailing list