Filtering OutBound SPAM
Randal, Phil
prandal at herefordshire.gov.uk
Wed Feb 4 15:51:20 GMT 2009
Well, on some of them... With a bit of luck, it'll only be a few
infected boxes.
You'd need a meta rule in SA and two "Received" matches - the IP of
client's MTA and infected PC's internal IP.
Cheers,
Phil
--
Phil Randal | Networks Engineer
Herefordshire Council | Deputy Chief Executive's Office | I.C.T.
Services Division
Thorn Office Centre, Rotherwas, Hereford, HR2 6JT
Tel: 01432 260160
email: prandal at herefordshire.gov.uk
Any opinion expressed in this e-mail or any attached files are those of
the individual and not necessarily those of Herefordshire Council.
This e-mail and any attached files are confidential and intended solely
for the use of the addressee. This communication may contain material
protected by law from being passed on. If you are not the intended
recipient and have received this e-mail in error, you are advised that
any use, dissemination, forwarding, printing or copying of this e-mail
is strictly prohibited. If you have received this e-mail in error please
contact the sender immediately and destroy all copies of it.
________________________________
From: mailscanner-bounces at lists.mailscanner.info
[mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Eduardo
Casarero
Sent: 04 February 2009 15:38
To: MailScanner discussion
Subject: Re: Filtering OutBound SPAM
2009/2/4 Randal, Phil <prandal at herefordshire.gov.uk>
Whilst everything comes from the same IP (client's MTA), the
Received headers should have the infected box's IP address.
Give that/those a high score in spamassassin, and tell the
client to clean their infected PCs
You mean mannually check headers? and then add a high score?
Cheers,
Phil
--
Phil Randal | Networks Engineer
Herefordshire Council | Deputy Chief Executive's Office | I.C.T.
Services Division
Thorn Office Centre, Rotherwas, Hereford, HR2 6JT
Tel: 01432 260160
email: prandal at herefordshire.gov.uk
Any opinion expressed in this e-mail or any attached files are
those of the individual and not necessarily those of Herefordshire
Council.
This e-mail and any attached files are confidential and intended
solely for the use of the addressee. This communication may contain
material protected by law from being passed on. If you are not the
intended recipient and have received this e-mail in error, you are
advised that any use, dissemination, forwarding, printing or copying of
this e-mail is strictly prohibited. If you have received this e-mail in
error please contact the sender immediately and destroy all copies of
it.
________________________________
From: mailscanner-bounces at lists.mailscanner.info
[mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Eduardo
Casarero
Sent: 04 February 2009 15:22
To: MailScanner discussion
Subject: OT: Filtering OutBound SPAM
Hi, i've a rare scenario with one of my customers and i though
that someone from here could give me some fresh(?) ideas.
My client has it's own MTA (wich i don't manage, neither have
access to logs, etc) and it sends all outbound traffic to my server that
has (MScanner, SA, clamav, dcc, pyzor, razor, some custom rules, etc).
The problem i've right now is that (i assume) some malware stole
valid user/passwords to authenticate in the smtp server of my client, so
tons of spam are trying to get out to internet through my server.
Althogh all anti-spam stuff seems to work, i need some new
countermeasures to stop this at MailScanner stage (i cant do anything at
MTA level because everything comes from the same ip).
Any idea?
something like my own checksum repository, or url blacklist, or
header authentication matching, etc.
Any help would be appreciated.
Eduardo.
--
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner
Before posting, read http://wiki.mailscanner.info/posting
Support MailScanner development - buy the book off the website!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090204/a39983df/attachment.html
More information about the MailScanner
mailing list