Spammer with attachment that bypasses spamassassin
L.P.H. van Belle
belle at bazuin.nl
Fri Mar 29 12:30:40 UTC 2019
yes, you can increase the size so it does hit spamassassin.
this part:
X-Original-Authentication-Results: gmr-mx.google.com; spf=pass
(google.com: domain of MailScanner warning: numerical links are often malicious: xxx at xxxxx.xxx designates XX.XX.XX.XX as permitted
sender) smtp.mailfrom=xxx at xxxxx.xxx
You can also report the spammer at gmail.com since he is abusing the list.
And you could make a spamassassing rule that triggers on : smtp.mailfrom=xxx at xxxxx.xxx
but without the source ipnumbers its hard to go a full check in this.
increae the attachment size to 2Mb.
sed -i '/^Max Spam Check Size =/ c\Max Spam Check Size = 2048k' /etc/MailScanner/MailScanner.conf
Greetings.
Louis
Van: George Papamichelakis [mailto:gpapamichelakis at gmail.com]
Verzonden: vrijdag 29 maart 2019 12:29
Aan: MailScanner Discussion
CC: L.P.H. van Belle
Onderwerp: Re: Spammer with attachment that bypasses spamassassin
Sure , Here they are, I just tweaked the ips and names , I noticed this in my postfix log file:
MailScanner[29247]: Message BC40B48E89.AA059 from XXX.XXX.XXX.XXX (business-education+bncbcgz73fdtyhrblo767sakgqeq2agr3q at googlegroups.com) to xxxx.xxx is too big for spam checks (2655956 > 200000 bytes)
The headers are :
Return-Path: <business-education+bncbcgz73fdtyhrblo767sakgqeq2agr3q at googlegroups.com> Received: from xxx.xxxx.xxxx by xxx.xxxx.xxxx (Dovecot) with LMTP id sbwwFzzwnVyRAgAAyyBr5g ; Fri, 29 Mar 2019 12:15:24 +0200 Received: by xxx.xxxx.xxxx (Postfix) id 0FAC948E16; Fri, 29 Mar 2019 12:15:24 +0200 (EET) Delivered-To: MailScanner warning: numerical links are often malicious: xx at xxxx.xx Received: from mail-wr1-f57.google.com (mail-wr1-f57.google.com [209.85.221.57]) by xxx.xxxx.xxxx (Postfix) with ESMTPS id BC40B48E89 for MailScanner warning: numerical links are often malicious: <xxx at xxxx.xxx>; Fri, 29 Mar 2019 12:13:06 +0200 (EET) Received: by mail-wr1-f57.google.com with SMTP id e14sf1337667wrt.18 for MailScanner warning: numerical links are often malicious: <xxxxx at xxxx.xxx>; Fri, 29 Mar 2019 03:13:06 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1553854386; cv=pass; d=google.com; s=arc-20160816; b=bDj3MoszOIe10YUpXat4fWayZVSj+yX/GmZoXvbzayZem079c+fa/0VjHMWnOGNVVv GSy6RosiKQb7I7tol7BK6anz+YUuAahwsWx3lTvF+Z7dZxXWXlqQQpY/aYDxqX4Tcpfp 7T4jRX3Qj8erZiZyRvwZcwMUoWmlqSfzoJnW0NFRv3/sGRPXMoJsAf/e2ruroiv+JfBH aVYACrXqE+dKLcQ37jc6mTZ+MKbrjF8P7T5F/GMHMcUP8MdfT30nrpva7YCjAnGHRdFY eaQlTUps/y8WrDf8/3sKk5iEsYeUbVzZRZqG67mWcE0ibJolsRyE61pRd/6jiTEe/8pV Dg5g== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-unsubscribe:list-archive:list-help:list-post:list-id :mailing-list:precedence:reply-to:to:subject:message-id:date:from :in-reply-to:references:mime-version:sender:dkim-signature; bh=DBS0pCCxQKHrs8JD5K0bx+wdmtXC5ACr4zeYr1o30+0=; b=mwjvFhzXcRvrSjDWhAnzJej7aZq9m06V16MDIhceydPwo2hOxECQwHzDVHFM6Bi+UO moUnvEYFOroVCWKrwTGIaDz7sE871ZfvJ147JIVzXs+XiMuasFXYlTVe3+yO5BHX2Jnj oX0k83tzybV4eyBCFLnD60ZDAKdSVHFL9tVltefRgTBf5z9WEo2XBwhxxd8YzKfgGfvL 2MoiAD+LOWPYZAfabNKGAWaqVBTPeQzGIYjN1MbzEniyO2JSqly0hrXVDmJCUIMxLskp 3U9NqMyNZwhH7QyKwzHTpfRvuMp6e8N4r0gSGdqIkyC6YspAJ8t8Hno5tw5Geoe31li+ XV+w== ARC-Authentication-Results: i=2; gmr-mx.google.com; spf=pass (google.com: domain of MailScanner warning: numerical links are often malicious: xxx at xxxxx.xxx designates XX.XXX.XX.XX as permitted sender) smtp.mailfrom=xxxx at xxxxxxx.xxx DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20161025; h=sender:mime-version:references:in-reply-to:from:date:message-id :subject:to:x-original-sender:x-original-authentication-results :reply-to:precedence:mailing-list:list-id:list-post:list-help :list-archive:list-unsubscribe; bh=DBS0pCCxQKHrs8JD5K0bx+wdmtXC5ACr4zeYr1o30+0=; b=eZ9WUgiIsuUxH7BE4jjvsdfywpvlVI26SsyX5Hk0knrCGt9TLeok/9C4Or2nabBn24 63eyeYX7W58BOVQwO5IR5ZnpKb+Zbab6CIkzaFK9lQX9kbDdXcKSGylI0P+++Mdcna1U 4BPwHpCYNC8qXf6UNcBtT709eZ0Q5jsbQMnv5lZchvSWqc3rEqvt1w3yDyaMGV4Rp6U4 7fROjJPTr2FazJd4KHOBDrYu+4nram1vJEFpuNtZOkomSTFaOzQ8KsNefQabfpLTd6/L 5w/+KpPCFK+flpZX3UlltQZmq2Ixr9Riz2EOek+FC5veXdTuLXWC1dQPXIxGQXZb2A3y IsEw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=sender:x-gm-message-state:mime-version:references:in-reply-to:from :date:message-id:subject:to:x-original-sender :x-original-authentication-results:reply-to:precedence:mailing-list :list-id:x-spam-checked-in-group:list-post:list-help:list-archive :list-unsubscribe; bh=DBS0pCCxQKHrs8JD5K0bx+wdmtXC5ACr4zeYr1o30+0=; b=bBifMmPz8ja6VAfzvMblxLJYpeeN7MAr7CRvM21URzrJqgKt+wO0A7wspMGIiPflcQ 0H+9McmWSGYxe9OPzzG3PfLYEsti8AZokMe0JEfeGTOecdz+nw/soB5p2shg+cE9eQ7y f7N2eRed9g5hbUzIVr30C7N274FW4eemUpCQbnHTZOcoA1b5PHYA2DtUa39GjCzoSzQE lXTy7og3ph+4fwAZpF6DDWRdi4VnqsuQgF/gDZXQRnV7/zeRBpgVHFwQojvEubWnU8My fH3J59R7OU7mhHaBI8FDBYV4Fw9OEWsDTazHlMgp/Mf8trc1ypyHXjkPNQ1wCvAPeykK clBQ== Sender: business-education at googlegroups.com X-Gm-Message-State: APjAAAVBRH41sEGircSxa9aCNJ3+Gdoqi3VgJziDALz6lNRtMiIgExdF bsKc5TOvc09p4IItxZTro7A= X-Google-Smtp-Source: APXvYqzBH7+DrvOsVWtQ5ngRAm9523F7UnycoTigNImCbDoQsHOZ0qJiR4B4VvykasuyECpJ1eOX7w== X-Received: by 2002:a5d:6b0d:: with SMTP id v13mr6769541wrw.284.1553854385485; Fri, 29 Mar 2019 03:13:05 -0700 (PDT) X-BeenThere: business-education at googlegroups.com Received: by 2002:adf:f8c6:: with SMTP id f6ls113789wrq.11.gmail; Fri, 29 Mar 2019 03:13:00 -0700 (PDT) X-Received: by 2002:adf:de84:: with SMTP id w4mr1246311wrl.13.1553854380443; Fri, 29 Mar 2019 03:13:00 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1553854380; cv=none; d=google.com; s=arc-20160816; b=xQxxAGbN12GnmeQEd7IEF6uy7+LGBRZo+VAa2c7356vtwtz4zsIhwBKpR4oN71gWHR B/Qiy8szZvSCHkWZe242aJIqcwUmaxh7MS0dRlb3zKCiKd2mGkH7bzxjrOOH7iUagRQJ Ikw6z1OJY+vslqv70A5ACJwrNyu5L9qhpQJ1EIv1umR4GzIXjWJyzKS4w+ysyy0WJ0HE lLR2JTwghOnV4tBUNZYSuPyhgjgX3bTobTN+zGbcL3fptIE6xYG7FbWo6zOe9gymmopX yiR0Zbm7k0qh6r9j8uctE/1T3ULtirFpaGB2I+RWRe4U1Q6tlM+lQQ3/4Z6GR36thS6X 9nIg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=to:subject:message-id:date:from:in-reply-to:references:mime-version; bh=cH+xK7PaOEPF19A/Hsv+6kzx+bqBeZZESuscUNhVNKc=; b=gvkuJ5kbSe5L4BxQLFnPirRSXUW7PDhMkOz4keTxL7biWAhdBPWQA5If1ShPdKQYfi to+kA2cddc1vAfSqI52ZnJU+//1DgoR/tw80F7enOnvS8kFkYQCoglrGpvjeAZSEozLR WIdEdLGHcrGWdDnAg5kK0P11YALOtl7dXQA25UPwbdZzWfXRsRpDmePVz8gWXNsFQk2U 3eKzK/y1r1iYJAVTC2pOF4ZIFPG8SfrsRRBFsWjnechjmI3a+4K1nsqVafgHR7+/z6fJ LrN2JcAbNvJL4EqI0oZcK0aHzkQGXM1ZZH5S6VXcLvfL2xCNpdxGWkEYNp13U8n760o3 ZssA== ARC-Authentication-Results: i=1; gmr-mx.google.com; spf=pass (google.com: domain of MailScanner warning: numerical links are often malicious: xxx at xxxxx.xxx designates XX.XX.XX.XX as permitted sender) smtp.mailfrom=xxx at xxxx.xxx Received: from xxxxx.xxxx.xxxx (XXx.xxxxxx.xxx. [XX.XX.XX.XX]) by gmr-mx.google.com with ESMTPS id n65si73301wma.1.2019.03.29.03.12.59 for <business-education at googlegroups.com> (version=TLS1 cipher=AES128-SHA bits=128/128); Fri, 29 Mar 2019 03:13:00 -0700 (PDT) Received-SPF: pass (google.com: domain of MailScanner warning: numerical links are often malicious: xxx at xxxxxx.xxx designates XX.XX.XX.XX as permitted sender) client-ip=XX.XX.XX.XX; Received: from mail-vs1-f52.google.com (mail-vs1-f52.google.com [209.85.217.52]) (Authenticated sender: MailScanner warning: numerical links are often malicious: xxx at xxxxxx.xxx) by xxxxx.xxx.xxx (ESMTP) with ESMTPSA for <business-education at googlegroups.com>; Fri, 29 Mar 2019 12:12:52 +0200 (EET) Received: by mail-vs1-f52.google.com with SMTP id j184so943199vsd.11 for <business-education at googlegroups.com>; Fri, 29 Mar 2019 03:12:52 -0700 (PDT) X-Received: by 2002:a67:e28d:: with SMTP id g13mr29911012vsf.121.1553854370951; Fri, 29 Mar 2019 03:12:50 -0700 (PDT) MIME-Version: 1.0 References: <CANRqB_k2U-5PD3GKpfN=BGBbc7Rkj50aBt1jm0i7zs1PV4EAfQ at mail.gmail.com> <CANRqB_=kJgxPrh-KM2iSseqgZ0mh9R1W-nVv=RN=PjF6pJdOAA at mail.gmail.com> <CANRqB_nAbwsN-UJrbvqTFhS9imbvvxeTm_xnT7gAMyRJ68=GgQ at mail.gmail.com> <CANRqB_mkywZVo5t6sa3Qo48RKhb_Yqzp9vR0LrqZfmKHecB7fg at mail.gmail.com> <CANRqB_mT7aJP8Uhgn4ejqLpsH5Gwc3uQXAJ82rZf--6x1Sdi6A at mail.gmail.com> <CANRqB_kN2LnaqGNzZ1Ym8u0OOVVo5c=NnZynNq=uHJz2p0VvgA at mail.gmail.com> <CANRqB_k-M2MLUDnZep3XXg4xwbx_qmoJ6n+r43k4GYmCqGmZug at mail.gmail.com> <CANRqB_kU8HapxUfNjOK6WbYEz9T6XLrRs9LnmRgcSOceMpF9zQ at mail.gmail.com> <CANRqB_=+0XBEVY+SizVb+gK11Jv+=LVDN4BKgWcbA5TfWtkJjQ at mail.gmail.com> <CANRqB_ncQnLz9LRSygBY2PRm7TJ3KFdKmssfbFd=TWcWqg=1Hg at mail.gmail.com> <CANRqB_knDxy6qi=ojcxM96uJGaAPp-jZBgDE5bT0qXK+7Rca+Q at mail.gmail.com> <CANRqB_nZNOHhtrrQS_Ki723qfhFOJtVC=ek7h+VW_OJgnK2VEw at mail.gmail.com> <CANRqB_n83NYjSszj8SASF62OEdeYf8SeF6nCdfMWVwBiW0Tx6w at mail.gmail.com> <CANRqB_kHSNLe6nAjaBER5O2GmAnUNE0d6+yayuy0sPf2N8kn0Q at mail.gmail.com> <CANRqB_m59+x1mBEwkgpyLwpcURoTkcWjrtkyX5wYmXLuWx4JMA at mail.gmail.com> <CANRqB_ms7AFhT-y0nwxCOi4B6WL5uh+s_7-vVZq0OEXYfVy_LA at mail.gmail.com> <CANRqB_=9E7D2e=Zyuj5mwTXaOAezA8nFhuVdnVsTc9hCVuKr_w at mail.gmail.com> <CANRqB_=H-AcrnNFApWECjqwn8a2sBjK8aXoPAy1_SoB=XO89rA at mail.gmail.com> <CANRqB_kvL_aJcOUZ4pu5+T85S0Weqvch+iU5A1c2HQuOnjnWsg at mail.gmail.com> <CANRqB_mQ5oZHGfZ=uia6nHF=D0tGW1ajC60hzbUbeFSthFfX7w at mail.gmail.com> <CANRqB_mBMiogbDzukxPbq5ibA8G03fTpVTMvMDCBnWEH0vdy5g at mail.gmail.com> <CANRqB_ksDtpUgj80yc9Rcm+jLV4G=22k41zrbzWeNsREVPOgoQ at mail.gmail.com> <CANRqB_mXAzK9111A_0KCfozyLAWV=PQKLj=depFrLNkMu=SDrw at mail.gmail.com> <CANRqB_k=GjNRDAgwr8sd2k+t0K0Kv8S5AhjXwO41Qiiib5EXiA at mail.gmail.com> <CANRqB_kO54X=ARk1ZTMVQOTYS2R6cqFeMo4s6zCpfTxQT9SP+w at mail.gmail.com> <CANRqB_ms2reFNa8-LONHnes6HDmisZTEC0v+xMZsUG6G0gpyOA at mail.gmail.com> <CANRqB_mpPmRV3BE4r+sR83Mkcv_GOv6tsL9B54oYse3dZrZoMg at mail.gmail.com> <CANRqB_k1cz4Bj9D9g11u1CLQ+eKX3kYeNPtT61i9KHGOsaf8yg at mail.gmail.com> <CANRqB_n7D1wzpsYixJLxWuRiYj5JKHkyYktqMu4-ymNANmZ+dA at mail.gmail.com> <CANRqB_=dOfKyZH4f2zxiZH-h-amP9EV2vCE4EVXWqL20MaAAGw at mail.gmail.com> <CANRqB_mmsbtWsGJm+adKutdox52Vimw-yi7oJVC8Aixw4A8+gw at mail.gmail.com> <CANRqB_mEqvvOW4c+BxLFsHv1hjfwvtYhp42iaNh9ZOuqx9Y21w at mail.gmail.com> <CANRqB_=yGFDpYZmSqUB2bivu=aG8kEAPpRWd7XbhHe7j2V+s1Q at mail.gmail.com> <CANRqB_nXBy1KgPh6GqomXFG=iwskdf06h2ZB11DSKkcBvPdTKQ at mail.gmail.com> <CANRqB_mwLqXSrxzX3HpTBjNSjo=OXSYdnXNo9qAETTXPzD-Mhg at mail.gmail.com> <CANRqB_ny_kxuhkF7NpLHV6EWuV8-nTYU1BT+gYbiheJUW8aQ=Q at mail.gmail.com> <CANRqB_kVFXOdLoqVanySpdQGjar-iLT-Mvg7rJU24napwF5aKw at mail.gmail.com> <CANRqB_=eMeWsNSvFsUC8ToiyDVPe9KHTrDweDJkHzKyx+rzsBQ at mail.gmail.com> In-Reply-To: <CANRqB_=eMeWsNSvFsUC8ToiyDVPe9KHTrDweDJkHzKyx+rzsBQ at mail.gmail.com> From: "Business Education" MailScanner warning: numerical links are often malicious: <xxx at xxxxxxx.xxx> Date: Fri, 29 Mar 2019 12:12:36 +0200 X-Gmail-Original-Message-ID: <CANRqB_kYjsK-UGt_YnRqcDgPE0=3ex9w0SVC-bucpn21kTffCg at mail.gmail.com> Message-ID: <CANRqB_kYjsK-UGt_YnRqcDgPE0=3ex9w0SVC-bucpn21kTffCg at mail.gmail.com> Subject: =?UTF-8?B?zpXOmc6UzpnOms6XIM6gzqHOn86jzqbOn86hzpEgzpPOmc6RIM6kzpEgMTIwIEFEVkFOQw==?= =?UTF-8?B?RUQgQ09VUlNFUyDOpM6fzqUgU0JF?= To: business-education at googlegroups.com Content-Type: multipart/mixed; boundary="000000000000d0be6e058538e96d" X-Original-Sender: MailScanner warning: numerical links are often malicious: xxx at xxxxxx.xxx X-Original-Authentication-Results: gmr-mx.google.com; spf=pass (google.com: domain of MailScanner warning: numerical links are often malicious: xxx at xxxxx.xxx designates XX.XX.XX.XX as permitted sender) smtp.mailfrom=xxx at xxxxx.xxx Reply-To: MailScanner warning: numerical links are often malicious: xxx at xxxxx.xxx Precedence: list Mailing-list: list business-education at googlegroups.com; contact business-education+owners at googlegroups.com List-ID: <business-education.googlegroups.com> X-Spam-Checked-In-Group: business-education at googlegroups.com X-Google-Group-Id: 646963186979 List-Post: <https://groups.google.com/group/business-education/post>, MailScanner heeft een e-mail met mogelijk een poging tot fraude gevonden van "googlegroups.com" <mailto:business-education at googlegroups.com> List-Help: <https://groups.google.com/support/>, MailScanner heeft een e-mail met mogelijk een poging tot fraude gevonden van "googlegroups.com" <mailto:business-education+help at googlegroups.com> List-Archive: <https://groups.google.com/group/business-education List-Unsubscribe: MailScanner heeft een e-mail met mogelijk een poging tot fraude gevonden van "googlegroups.com" <mailto:googlegroups-manage+646963186979+unsubscribe at googlegroups.com>, <https://groups.google.com/group/business-education/subscribe> X-XXX-MailScanner-Information: Please contact the ISP for more information X-XXX-MailScanner-ID: BC40B48E89.AA059 X-XXX-MailScanner: Found to be clean X-XXX-MailScanner-From: business-education+bncbcgz73fdtyhrblo767sakgqeq2agr3q at googlegroups.com X-Spam-Status: No
GP
On 3/29/19 1:08 PM, L.P.H. van Belle via MailScanner wrote:
Can you send me the header info?
-----Oorspronkelijk bericht----- Van: MailScanner [mailto:mailscanner-bounces+belle=bazuin.nl at lists.mailscanner.
info] Namens George Papamichelakis
Verzonden: vrijdag 29 maart 2019 12:08 Aan: mailscanner at lists.mailscanner.info Onderwerp: Spammer with attachment that bypasses spamassassin Hi all I Have issue with one spammer that due to fact that he includes some pdf file in his email bypasses the blacklist and his email gets delivered to all addresses that he has from the domain. Can I somehow force mailscanner to not bypass this particular sender due to message size ? I use mailscanner 5.0.2 with postfix on a debian machine and mailwatch 1.2.10 web interface. thanks in advance GP -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20190329/f8fb9f17/attachment.html>
More information about the MailScanner
mailing list