Rechnung offline Spam
Kai Schaetzl
maillists at conactive.com
Fri Jun 13 10:33:47 IST 2014
Johan Hendriks wrote on Wed, 11 Jun 2014 15:41:49 +0200:
> I am trying to stop some spam but it seems MailScanner just lets them
> pass...
Check if it hits. You can do this with SA --lint. If SA hits, then check
if MS runs it with the same config. An easy check if your custrom rule is
in the right place (e.g. you are doing it the first time ...) is to place
a deliberately *wrong* rule there and then run SA --lint. It should bark
about it. e.g.
header whatever
alone should be sufficient to trigger a warning or even an error with SA.
If it does you know it's in the right place, then do the same with MS.
If you put your .cf file in the SA rules directory (usually
/etc/mail/spamassassin), then it will get picked up. There is no need to
add it to another file.
Please note, that the *real* invoices by Deutsche Telekom have the *same*
subject!
A good way to identify this spam is to look for the mailer software (/^X-
Mailer:.*Blat.*/ or /^X-MimeOLE:.*Produced by Blat.*/). This spam (also
the big spam run in January) is getting sent from Windows zombies with the
help of Blat (you could also look just for a specific version, I think
it's always 3.1.1). So you can have a meta rule for them.
Also, if these messages (sometimes they come in really big quantitites)
pose a problem for your mail system you can enforce a (temporary) header
check with postfix and reject them right-away. Of course, this will reject
legitimate mailing list mail sent by Blat as well (but it's rare). So, use
it only as a temporary measure.
Kai
--
Get your web at Conactive Internet Services: http://www.conactive.com
More information about the MailScanner
mailing list