<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=us-ascii">
<META content="MSHTML 6.00.6000.16788" name=GENERATOR></HEAD>
<BODY>
<DIV dir=ltr align=left><SPAN class=619504815-04022009><FONT face=Arial
color=#0000ff size=2>Well, on some of them... With a bit of luck, it'll
only be a few infected boxes.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=619504815-04022009><FONT face=Arial
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=619504815-04022009><FONT face=Arial
color=#0000ff size=2>You'd need a meta rule in SA and two "Received" matches -
the IP of client's MTA and infected PC's internal
IP.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=619504815-04022009><FONT face=Arial
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=619504815-04022009><FONT face=Arial
color=#0000ff size=2>Cheers,</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=619504815-04022009><FONT face=Arial
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=619504815-04022009><FONT face=Arial
color=#0000ff size=2>Phil</FONT></SPAN></DIV>
<DIV> </DIV><!-- Converted from text/rtf format -->
<P><FONT face=Arial size=2>--</FONT> <BR><FONT face=Arial size=2>Phil Randal |
Networks Engineer</FONT> <BR><FONT face=Arial size=2>Herefordshire Council |
Deputy Chief Executive's Office | I.C.T. Services Division</FONT> <BR><FONT
face=Arial size=2>Thorn Office Centre, Rotherwas, Hereford, HR2 6JT</FONT>
<BR><FONT face=Arial size=2>Tel: 01432 260160</FONT> <BR><FONT face=Arial
size=2>email: prandal@herefordshire.gov.uk</FONT> </P>
<P><FONT face=Arial size=2>Any opinion expressed in this e-mail or any attached
files are those of the individual and not necessarily those of Herefordshire
Council.</FONT></P>
<P><FONT face=Arial size=2>This e-mail and any attached files are confidential
and intended solely for the use of the addressee. This communication may contain
material protected by law from being passed on. If you are not the intended
recipient and have received this e-mail in error, you are advised that any use,
dissemination, forwarding, printing or copying of this e-mail is strictly
prohibited. If you have received this e-mail in error please contact the sender
immediately and destroy all copies of it.</FONT></P>
<DIV> </DIV><BR>
<DIV class=OutlookMessageHeader lang=en-us dir=ltr align=left>
<HR tabIndex=-1>
<FONT face=Tahoma size=2><B>From:</B> mailscanner-bounces@lists.mailscanner.info
[mailto:mailscanner-bounces@lists.mailscanner.info] <B>On Behalf Of </B>Eduardo
Casarero<BR><B>Sent:</B> 04 February 2009 15:38<BR><B>To:</B> MailScanner
discussion<BR><B>Subject:</B> Re: Filtering OutBound SPAM<BR></FONT><BR></DIV>
<DIV></DIV><BR><BR>
<DIV class=gmail_quote>2009/2/4 Randal, Phil <SPAN dir=ltr><<A
href="mailto:prandal@herefordshire.gov.uk">prandal@herefordshire.gov.uk</A>></SPAN><BR>
<BLOCKQUOTE class=gmail_quote
style="PADDING-LEFT: 1ex; MARGIN: 0pt 0pt 0pt 0.8ex; BORDER-LEFT: rgb(204,204,204) 1px solid">
<DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff size=2>Whilst
everything comes from the same IP (client's MTA), the Received headers should
have the infected box's IP address.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff
size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff size=2>Give
that/those a high score in spamassassin, and tell the client to clean their
infected PCs</FONT></SPAN></DIV>
<DIV><FONT face=Arial color=#0000ff
size=2></FONT> </DIV></DIV></BLOCKQUOTE>
<DIV><BR>You mean mannually check headers? and then add a high
score?<BR> </DIV>
<BLOCKQUOTE class=gmail_quote
style="PADDING-LEFT: 1ex; MARGIN: 0pt 0pt 0pt 0.8ex; BORDER-LEFT: rgb(204,204,204) 1px solid">
<DIV>
<DIV></DIV>
<DIV><SPAN><FONT face=Arial color=#0000ff size=2>Cheers,</FONT></SPAN></DIV>
<DIV><SPAN><FONT face=Arial color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV><SPAN><FONT face=Arial color=#0000ff size=2>Phil</FONT></SPAN></DIV>
<DIV><SPAN></SPAN><FONT face=Arial size=2>--</FONT> <BR><FONT face=Arial
size=2>Phil Randal | Networks Engineer</FONT> <BR><FONT face=Arial
size=2>Herefordshire Council | Deputy Chief Executive's Office | I.C.T.
Services Division</FONT> <BR><FONT face=Arial size=2>Thorn Office Centre,
Rotherwas, Hereford, HR2 6JT</FONT> <BR><FONT face=Arial size=2>Tel: 01432
260160</FONT> <BR><FONT face=Arial size=2>email: <A
href="mailto:prandal@herefordshire.gov.uk"
target=_blank>prandal@herefordshire.gov.uk</A></FONT> </DIV>
<P><FONT face=Arial size=2>Any opinion expressed in this e-mail or any
attached files are those of the individual and not necessarily those of
Herefordshire Council.</FONT></P>
<P><FONT face=Arial size=2>This e-mail and any attached files are confidential
and intended solely for the use of the addressee. This communication may
contain material protected by law from being passed on. If you are not the
intended recipient and have received this e-mail in error, you are advised
that any use, dissemination, forwarding, printing or copying of this e-mail is
strictly prohibited. If you have received this e-mail in error please contact
the sender immediately and destroy all copies of it.</FONT></P>
<DIV> </DIV><BR>
<DIV lang=en-us dir=ltr align=left>
<HR>
<FONT face=Tahoma size=2><B>From:</B> <A
href="mailto:mailscanner-bounces@lists.mailscanner.info"
target=_blank>mailscanner-bounces@lists.mailscanner.info</A> [mailto:<A
href="mailto:mailscanner-bounces@lists.mailscanner.info"
target=_blank>mailscanner-bounces@lists.mailscanner.info</A>] <B>On Behalf Of
</B>Eduardo Casarero<BR><B>Sent:</B> 04 February 2009 15:22<BR><B>To:</B>
MailScanner discussion<BR><B>Subject:</B> OT: Filtering OutBound
SPAM<BR></FONT><BR></DIV>
<DIV></DIV>Hi, i've a rare scenario with one of my customers and i though that
someone from here could give me some fresh(?) ideas.<BR><BR>My client has it's
own MTA (wich i don't manage, neither have access to logs, etc) and it sends
all outbound traffic to my server that has (MScanner, SA, clamav, dcc, pyzor,
razor, some custom rules, etc).<BR><BR>The problem i've right now is that (i
assume) some malware stole valid user/passwords to authenticate in the smtp
server of my client, so tons of spam are trying to get out to internet through
my server.<BR><BR>Althogh all anti-spam stuff seems to work, i need some new
countermeasures to stop this at MailScanner stage (i cant do anything at MTA
level because everything comes from the same ip).<BR><BR>Any
idea?<BR><BR>something like my own checksum repository, or url blacklist, or
header authentication matching, etc.<BR><BR>Any help would be
appreciated.<BR><BR>Eduardo.<BR></DIV><BR>--<BR>MailScanner mailing list<BR><A
href="mailto:mailscanner@lists.mailscanner.info">mailscanner@lists.mailscanner.info</A><BR><A
href="http://lists.mailscanner.info/mailman/listinfo/mailscanner"
target=_blank>http://lists.mailscanner.info/mailman/listinfo/mailscanner</A><BR><BR>Before
posting, read <A href="http://wiki.mailscanner.info/posting"
target=_blank>http://wiki.mailscanner.info/posting</A><BR><BR>Support
MailScanner development - buy the book off the
website!<BR><BR></BLOCKQUOTE></DIV><BR></BODY></HTML>