Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: Robert Felber (r.felberek-muc.de)
Date: Thu Apr 26 2007 - 01:47:06 CDT
On Thu, Apr 26, 2007 at 08:33:57AM +0200, Alexander Grüner wrote:
> there is almost daily the situation that a new worm, spam etc. is going around.
> There is always the same pattern. The mail is coming e.g. from infofocus.de.
> The recipient is always different, but mostly valid (I have about 4000 Users),
> but the sending MX is of course mostly different.
It is obviously not even an MX but some infected machine not belonging to
In my logs I have:
/var/log/mail/maillog.1.bz2:Apr 24 04:28:10 fpsvr1z150 postfix/policyd-weight: weighted check: NOT_IN_SBL_XBL_SPAMHAUS=-1.5 NOT_IN_SPAMCOP=-1.5 NOT_IN_BL_NJABL=-1.5 CL_IP_NE_HELO=1.5 RESOLVED_IP_IS_NOT_HELO=1.5 (check from: .focus. - helo: .northwestern. - helo-domain: .northwestern.) FROM_NOT_FAILED_HELO(DOMAIN)=3 <client=126.96.36.199> <helo=northwestern.edu> <from=infofocus.de> <to=xxxkuttendreier.de>, rate: 1.5
I use policyd-weight with defaults.
Note: CL_IP_NE_HELO RESOLVED_IP_IS_NOT_HELO means that neither HELO A/MX nor
sender-domain A/MX resolved to something related to 188.8.131.52/16
Due to this results FROM_NOT_FAILED_HELO (focus.de != northwestern.edu)
scored 3 (in other cases it might not score that high).
I have also rejects for infofocus.de where clients where listed in too many
You should also be able to catch the most of it via selective greylisting.
> Normally if I see somthing like this, I am going to manually block this sender
> (e.g. infofocus.de) for 2 days.
If you start to manually block infofocus.de you start to block someone
Robert Felber (PGP: 896CF30B)