Spam Problem

Randal, Phil prandal at herefordshire.gov.uk
Wed Jan 21 13:58:11 GMT 2009


These rules were posted by Tom Brown to the SARE Users mailing list
recently (and to the spamassassin users list by Michael Hutchinson):
 
Subject: [Sare-users] forged bounces...

 

these rules might be usefull. I woke up to a slew of these in my
inbox...

my thinking in the score of 1 for TOM_TO_EQ_FR is that legit messages of
this form should look VERY legit and be unlikely to score high...

 

header   __TOM_TO_EQ_FRa ALL =~
m/^From:\s+?<?(.+ at .+)>?(\s|$)[^\0]*^To:.*\1/m

header   __TOM_TO_EQ_FRb ALL =~
m/^To:\s+?<?(.+ at .+)>?(\s|$)[^\0]*^From:.*\1/m

meta     TOM_TO_EQ_FR __TOM_TO_EQ_FRa || __TOM_TO_EQ_FRb

score    TOM_TO_EQ_FR 1

describe TOM_TO_EQ_FR To and From are the same, could be a cc or a
forgery

 

header   __TOM_BOUNCE Subject =~ /(This mail is refused
message|\*\*Message you sent blocked by our bulk email filter\*\*|Your
message could not be delivered|Non delivery report: 5.9.4 \(Spam
SLS\/RBL\)|Please confirm your message|Returned mail: Quota exceeded)/

 

meta     TOM_BAD_BOUNCE __TOM_BOUNCE && TOM_TO_EQ_FR

describe TOM_BAD_BOUNCE looks like a forged bounce (known sub and
to==from)

score    TOM_BAD_BOUNCE 2.5

 

 Cheers,

 

Phil

-- 
Phil Randal | Networks Engineer 
Herefordshire Council | Deputy Chief Executive's Office | I.C.T.
Services Division 
Thorn Office Centre, Rotherwas, Hereford, HR2 6JT 
Tel: 01432 260160 
email: prandal at herefordshire.gov.uk 

Any opinion expressed in this e-mail or any attached files are those of
the individual and not necessarily those of Herefordshire Council.

This e-mail and any attached files are confidential and intended solely
for the use of the addressee. This communication may contain material
protected by law from being passed on. If you are not the intended
recipient and have received this e-mail in error, you are advised that
any use, dissemination, forwarding, printing or copying of this e-mail
is strictly prohibited. If you have received this e-mail in error please
contact the sender immediately and destroy all copies of it.

 

________________________________

From: mailscanner-bounces at lists.mailscanner.info
[mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of
dw at lker.co.uk
Sent: 21 January 2009 13:40
To: mailscanner at lists.mailscanner.info
Subject: Spam Problem



 

Hi

 

 Can anyone tell me how I can adjust mailscanner settings to help cure
our current SPAM problem?

 

We are being plagued with emails that are sent with the address of our
users, but not from our mailserver. 

Basically an email is sent to the user fred at domain from fred at domain. 

All 8 users seem to have the same problem, so we are assuming that
someone has had a virus at some point. The return address is the same as
the recipient, but the email server in the header file is NOT our
mailserver. These are not just bounced emails, they are from and to the
same person.

Unfortunately we are receiving 100's each per day.

 

There will NEVER be a case where an email would be sent by one of our
users (ie with our domain email addresses) unless the email originated
from our mailserver.

 

Can I set mailscanner to some how delete an email if it has one of our
sender addresses but does not ORIGINATE from our server. 

I have tried the watermark feature thinking that would help but I think
I'm mistaken.

 

Thanks

 

Darren

 

 

 


-- 
This message has been scanned for viruses and 
dangerous content by MailScanner <http://www.mailscanner.info/> , and is

believed to be clean. 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090121/bc9c2dce/attachment.html


More information about the MailScanner mailing list