From: Robert Felber (r.felberek-muc.de)
Date: Thu Apr 26 2007 - 01:47:06 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, Apr 26, 2007 at 08:33:57AM +0200, Alexander Grüner wrote:
> Hi,
>
> there is almost daily the situation that a new worm, spam etc. is going around.
>
> There is always the same pattern. The mail is coming e.g. from infofocus.de.
> The recipient is always different, but mostly valid (I have about 4000 Users),
> but the sending MX is of course mostly different.

It is obviously not even an MX but some infected machine not belonging to
focus.de

In my logs I have:

/var/log/mail/maillog.1.bz2:Apr 24 04:28:10 fpsvr1z150 postfix/policyd-weight[27307]: weighted check: NOT_IN_SBL_XBL_SPAMHAUS=-1.5 NOT_IN_SPAMCOP=-1.5 NOT_IN_BL_NJABL=-1.5 CL_IP_NE_HELO=1.5 RESOLVED_IP_IS_NOT_HELO=1.5 (check from: .focus. - helo: .northwestern. - helo-domain: .northwestern.) FROM_NOT_FAILED_HELO(DOMAIN)=3 <client=190.65.20.30> <helo=northwestern.edu> <from=infofocus.de> <to=xxxkuttendreier.de>, rate: 1.5

I use policyd-weight with defaults.
Note: CL_IP_NE_HELO RESOLVED_IP_IS_NOT_HELO means that neither HELO A/MX nor
sender-domain A/MX resolved to something related to 190.65.20.30/16

Due to this results FROM_NOT_FAILED_HELO (focus.de != northwestern.edu)
scored 3 (in other cases it might not score that high).

I have also rejects for infofocus.de where clients where listed in too many
DNSBL.

You should also be able to catch the most of it via selective greylisting.
Like http://lists.ee.ethz.ch/postgrey/msg01214.html

> Normally if I see somthing like this, I am going to manually block this sender
> (e.g. infofocus.de) for 2 days.

If you start to manually block infofocus.de you start to block someone
innocent.

--
    Robert Felber (PGP: 896CF30B)
    Munich, Germany

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]