Rechnung offline Spam

Kai Schaetzl maillists at conactive.com
Fri Jun 13 10:33:47 IST 2014


Johan Hendriks wrote on Wed, 11 Jun 2014 15:41:49 +0200:

> I am trying to stop some spam but it seems MailScanner just lets them 
> pass...

Check if it hits. You can do this with SA --lint. If SA hits, then check 
if MS runs it with the same config. An easy check if your custrom rule is 
in the right place (e.g. you are doing it the first time ...) is to place 
a deliberately *wrong* rule there and then run SA --lint. It should bark 
about it. e.g.

header whatever      

alone should be sufficient to trigger a warning or even an error with SA.
If it does you know it's in the right place, then do the same with MS.

If you put your .cf file in the SA rules directory (usually 
/etc/mail/spamassassin), then it will get picked up. There is no need to 
add it to another file.

Please note, that the *real* invoices by Deutsche Telekom have the *same* 
subject!

A good way to identify this spam is to look for the mailer software (/^X-
Mailer:.*Blat.*/ or /^X-MimeOLE:.*Produced by Blat.*/). This spam (also 
the big spam run in January) is getting sent from Windows zombies with the 
help of Blat (you could also look just for a specific version, I think 
it's always 3.1.1). So you can have a meta rule for them.

Also, if these messages (sometimes they come in really big quantitites) 
pose a problem for your mail system you can enforce a (temporary) header 
check with postfix and reject them right-away. Of course, this will reject 
legitimate mailing list mail sent by Blat as well (but it's rare). So, use 
it only as a temporary measure.


Kai

-- 
Get your web at Conactive Internet Services: http://www.conactive.com





More information about the MailScanner mailing list