<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=us-ascii">
<META content="MSHTML 6.00.6000.16788" name=GENERATOR></HEAD>
<BODY>
<DIV dir=ltr align=left><SPAN class=133442915-04022009><FONT face=Arial
color=#0000ff size=2>Whilst everything comes from the same IP (client's MTA),
the Received headers should have the infected box's IP
address.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=133442915-04022009><FONT face=Arial
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=133442915-04022009><FONT face=Arial
color=#0000ff size=2>Give that/those a high score in spamassassin, and tell the
client to clean their infected PCs</FONT></SPAN></DIV>
<DIV><FONT face=Arial color=#0000ff size=2></FONT> </DIV>
<DIV><SPAN class=133442915-04022009><FONT face=Arial color=#0000ff
size=2>Cheers,</FONT></SPAN></DIV>
<DIV><SPAN class=133442915-04022009><FONT face=Arial color=#0000ff
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=133442915-04022009><FONT face=Arial color=#0000ff
size=2>Phil</FONT></SPAN></DIV>
<DIV><SPAN class=133442915-04022009></SPAN><FONT face=Arial size=2>--</FONT>
<BR><FONT face=Arial size=2>Phil Randal | Networks Engineer</FONT> <BR><FONT
face=Arial size=2>Herefordshire Council | Deputy Chief Executive's Office |
I.C.T. Services Division</FONT> <BR><FONT face=Arial size=2>Thorn Office Centre,
Rotherwas, Hereford, HR2 6JT</FONT> <BR><FONT face=Arial size=2>Tel: 01432
260160</FONT> <BR><FONT face=Arial size=2>email:
prandal@herefordshire.gov.uk</FONT> </DIV>
<P><FONT face=Arial size=2>Any opinion expressed in this e-mail or any attached
files are those of the individual and not necessarily those of Herefordshire
Council.</FONT></P>
<P><FONT face=Arial size=2>This e-mail and any attached files are confidential
and intended solely for the use of the addressee. This communication may contain
material protected by law from being passed on. If you are not the intended
recipient and have received this e-mail in error, you are advised that any use,
dissemination, forwarding, printing or copying of this e-mail is strictly
prohibited. If you have received this e-mail in error please contact the sender
immediately and destroy all copies of it.</FONT></P>
<DIV> </DIV><BR>
<DIV class=OutlookMessageHeader lang=en-us dir=ltr align=left>
<HR tabIndex=-1>
<FONT face=Tahoma size=2><B>From:</B> mailscanner-bounces@lists.mailscanner.info
[mailto:mailscanner-bounces@lists.mailscanner.info] <B>On Behalf Of </B>Eduardo
Casarero<BR><B>Sent:</B> 04 February 2009 15:22<BR><B>To:</B> MailScanner
discussion<BR><B>Subject:</B> OT: Filtering OutBound SPAM<BR></FONT><BR></DIV>
<DIV></DIV>Hi, i've a rare scenario with one of my customers and i though that
someone from here could give me some fresh(?) ideas.<BR><BR>My client has it's
own MTA (wich i don't manage, neither have access to logs, etc) and it sends all
outbound traffic to my server that has (MScanner, SA, clamav, dcc, pyzor, razor,
some custom rules, etc).<BR><BR>The problem i've right now is that (i assume)
some malware stole valid user/passwords to authenticate in the smtp server of my
client, so tons of spam are trying to get out to internet through my
server.<BR><BR>Althogh all anti-spam stuff seems to work, i need some new
countermeasures to stop this at MailScanner stage (i cant do anything at MTA
level because everything comes from the same ip).<BR><BR>Any
idea?<BR><BR>something like my own checksum repository, or url blacklist, or
header authentication matching, etc.<BR><BR>Any help would be
appreciated.<BR><BR>Eduardo.<BR></BODY></HTML>