I'm running CBQ 4.6 patched up to date. What am I missing?
Thanks
Colin
> -----Original Message-----
> From: Arthur Sherman [mailto:arturs (at mark) netvision.net.il]
> Sent: Thursday, January 18, 2007 9:56 PM
> To: coba-e (at mark) bluequartz.org
> Subject: [coba-e:08612] Re: Stemming returned undeliverables from
spoofed spam
>
> Upgrade your SA and MS install.
>
>
> Best,
>
> --
> Arthur Sherman
>
> +972-52-4878851
> CPTeam
>
> > -----Original Message-----
> > From: Colin Jack [mailto:colin (at mark) mainline.co.uk]
> > Sent: Thursday, January 18, 2007 11:17 PM
> > To: coba-e (at mark) bluequartz.org
> > Subject: [coba-e:08611] Re: Stemming returned undeliverables
> > from spoofed spam
> >
> > Does it matter how far down the message the match is? This is a
sample
> > message:
> >
> > --- snip ---
> >
> > Message 12:
> > From MAILER-DAEMON (at mark) server1.mainline.co.uk Thu Jan 18 21:09:32 2007
> > X-Spam-Checker-Version: SpamAssassin 3.1.1 (2006-03-10) on
> > server1.mainline.co.uk
> > X-Spam-Level: **
> > X-Spam-Status: No, score=2.4 required=5.0 tests=BAYES_50,
> > MSGID_FROM_MTA_HEADER,MSGID_FROM_MTA_ID,NO_REAL_NAME
> > autolearn=no
> > version=3.1.1
> > Date: 18 Jan 2007 21:09:25 -0000
> > From: MAILER-DAEMON (at mark) mail10.opentransfer.com
> > To: harry (at mark) fast-mail.net
> > MIME-Version: 1.0
> > Content-Type: multipart/mixed;
> > boundary="1169154565mail10.opentransfer.com770590"
> > Subject: failure notice
> > X-Mainline-MailScanner-Information: Please contact the ISP for more
> > information
> > X-Mainline-MailScanner: Found to be clean
> > X-Mainline-MailScanner-From:
> >
> > --1169154565mail10.opentransfer.com770590
> >
> > Hi. This is the qmail-send program at mail10.opentransfer.com.
> > I'm afraid I wasn't able to deliver your message to the following
> > addresses.
> > This is a permanent error; I've given up. Sorry it didn't work out.
> >
> > <catchall (at mark) posteverywhere.com>:
> > This message is looping: it already has my Delivered-To line.
(#5.4.6)
> >
> > --- Enclosed are the original headers of the message.
> >
> > --
> > This message has been scanned for viruses and
> > dangerous content by the Mainline Internet MailScanner, and is
> > believed to be clean.
> >
> >
> > --1169154565mail10.opentransfer.com770590
> > Content-Type: message/rfc822
> >
> > Return-Path: <harry (at mark) fast-mail.net>
> > Received: (qmail 22197 invoked by uid 399); 18 Jan 2007 21:09:19
-0000
> > Delivered-To: sales (at mark) posteverywhere.com
> > Received: (qmail 22014 invoked by uid 399); 18 Jan 2007 21:09:14
-0000
> > Delivered-To: posteverywhere.com-catchall (at mark) posteverywhere.com
> > Received: (qmail 21841 invoked by uid 399); 18 Jan 2007 21:09:09
-0000
> > Delivered-To: notify (at mark) posteverywhere.com
> > Received: (qmail 21639 invoked by uid 399); 18 Jan 2007 21:09:04
-0000
> > X-Virus-Scan: Scanned by clamdmail 0.15 (no viruses);
> > Thu, 18 Jan 2007 15:09:09 -0600
> > Received: from unknown (HELO 21.1.98-84.rev.gaoland.net)
(84.98.1.21)
> > by mail10.opentransfer.com with SMTP; 18 Jan 2007 21:09:04 -0000
> > Received: from 212.21.100.75 (HELO mxcluster.mainline.co.uk)
> > by posteverywhere.com with esmtp (3.L+F.0:K( ,G1(7*)
> > id /245=N-4Q1RQ?-BM
> > for notify (at mark) posteverywhere.com; Thu, 18 Jan 2007 21:49:39 -0060
> > Message-ID: <01c73b4a$8d7b1160$6c822ecf@harry>
> >
> > -- end snip --
> >
> > Any other ideas anyone?
> >
> > Thanks
> >
> > Colin
> >
> >
> > > -----Original Message-----
> > > From: Colin Jack [mailto:colin (at mark) mainline.co.uk]
> > > Sent: Wednesday, January 17, 2007 7:09 AM
> > > To: coba-e (at mark) bluequartz.org
> > > Subject: [coba-e:08602] Re: Stemming returned undeliverables
> > > from spoofed spam
> > >
> > > Okay thanks ... what does the * do before ^?
> > > It's a wildcard isn't it?
> > >
> > > You can see I'm not up to speed on procmail ;)
> > >
> > > Thanks
> > >
> > > Colin
> > >
> > > > -----Original Message-----
> > > > From: Paul Aviles [mailto:paul.aviles (at mark) nickelnetworks.com]
> > > > Sent: Wednesday, January 17, 2007 3:17 AM
> > > > To: Colin Jack
> > > > Subject: RE: [coba-e:08588] Re: Stemming returned
> > > undeliverables from
> > > > spoofed spam
> > > >
> > > > I think you have an extra ":". Try
> > > >
> > > > :0
> > > > * ^Received: from 212.21.100.75 (HELO
> > > > mxcluster.mainline.co.uk) /dev/null
> > > >
> > > > Or something like this..
> > > >
> > > > :0
> > > > * ^Received:.*212.21.100.75.*
> > > > /dev/null
> > > >
> > > > Make sure you are not blocking the servers from sending or rec
> > > > email....
> > > >
> > > > Let me know if it works.
> > > >
> > > > -pa
> > > >
> > > > -----Original Message-----
> > > > From: Colin Jack [mailto:colin (at mark) mainline.co.uk]
> > > > Sent: Tuesday, January 16, 2007 10:27 AM
> > > > To: Paul Aviles
> > > > Subject: RE: [coba-e:08588] Re: Stemming returned
> > > undeliverables from
> > > > spoofed spam
> > > >
> > > > Thanks Paul,
> > > >
> > > > The string from the original email (which is included in the
> > > > bounce) is
> > > >
> > > > Received: from 212.21.100.75 (HELO mxcluster.mainline.co.uk)
> > > >
> > > > So what about this in procmailrc?
> > > >
> > > > :0:
> > > > ^Received: from 212.21.100.75 (HELO mxcluster.mainline.co.uk)
> > > > /dev/null
> > > >
> > > > Much appreciated
> > > >
> > > > Colin
> > > >
> > > > > -----Original Message-----
> > > > > From: Paul Aviles [mailto:paul.aviles (at mark) nickelnetworks.com]
> > > > > Sent: Tuesday, January 16, 2007 1:22 PM
> > > > > To: Colin Jack
> > > > > Subject: RE: [coba-e:08588] Re: Stemming returned
> > > > undeliverables from
> > > > > spoofed spam
> > > > >
> > > > > Colin, yes, send me the specifics and will send you the
> > > > modifications
> > > > > to sendmail.mc or either procmail to /dev/null them.
> > > > >
> > > > > Regards,
> > > > >
> > > > > Paul Aviles
> > > > > Nickel Networks
> > > > >
> > > > >
> > > > > -----Original Message-----
> > > > > From: Colin Jack [mailto:colin (at mark) mainline.co.uk]
> > > > > Sent: Tuesday, January 16, 2007 5:34 AM
> > > > > To: coba-e (at mark) bluequartz.org
> > > > > Subject: [coba-e:08588] Re: Stemming returned
> > undeliverables from
> > > > > spoofed spam
> > > > >
> > > > > I have found a header in the emails that is unique to the
> > > > scatter (the
> > > > > original spam email has spoofed the sending server but
> > > got the host
> > > > > name slightly wrong).
> > > > >
> > > > > Yes we are using all the usual anti-spam techniques ...
> > > > this is just
> > > > > 'scatter' from other mail servers.
> > > > >
> > > > > Colin
> > > > >
> > > > > > -----Original Message-----
> > > > > > From: Paul Aviles [mailto:paul.aviles (at mark) nickelnetworks.com]
> > > > > > Sent: Monday, January 15, 2007 9:31 PM
> > > > > > To: coba-e (at mark) bluequartz.org
> > > > > > Subject: [coba-e:08577] Re: Stemming returned
> > > undeliverables from
> > > > > > spoofed spam
> > > > > >
> > > > > > Colin, those 500 messages are all from different IP's?
> > > > and you are
> > > > > > using the common black list, greeting pause etc?
> > > > > > What about the type of messages? Can you filter by
> > > > certain type of
> > > > > > mime messages, attachment type, words in the subject or in
> > > > > the body of
> > > > > > the email?
> > > > > >
> > > > > > Regards,
> > > > > >
> > > > > > Paul Aviles
> > > > > > Nickel Networks
> > > > > >
> > > > > > -----Original Message-----
> > > > > > From: Colin Jack [mailto:colin (at mark) mainline.co.uk]
> > > > > > Sent: Monday, January 15, 2007 4:15 PM
> > > > > > To: coba-e (at mark) bluequartz.org
> > > > > > Subject: [coba-e:08574] Re: Stemming returned
> > > undeliverables from
> > > > > > spoofed spam
> > > > > >
> > > > > > I don't think you understand the problem.
> > > > > >
> > > > > > My clients are receiving mailer_daemon messages from
> > > > > servers all over
> > > > > > the world rejecting spam, and because the From:
> > > > > > address has been spoofed (using my clients' addresses) in
> > > > > the original
> > > > > > spam, they are getting these messages. This is what I'm
> > > trying to
> > > > > > filter out.
> > > > > >
> > > > > > I need to look at the milter-null idea a bit further,
> > > this looks
> > > > > > interesting. Thanks Adam.
> > > > > >
> > > > > > Regards
> > > > > >
> > > > > > Colin
> > > > > >
> > > > > > > -----Original Message-----
> > > > > > > From: Paul Aviles [mailto:paul.aviles (at mark) nickelnetworks.com]
> > > > > > > Sent: Monday, January 15, 2007 7:36 PM
> > > > > > > To: coba-e (at mark) bluequartz.org
> > > > > > > Subject: [coba-e:08572] Re: Stemming returned
> > > > undeliverables from
> > > > > > > spoofed spam
> > > > > > >
> > > > > > > Block the IP address from connecting to your box. If is a
> > > > > > spammer and
> > > > > > > you are getting that many connections there must be
> > > > something in
> > > > > > > common, either a range of IP's, domains or
> > something to block.
> > > > > > >
> > > > > > > Regards,
> > > > > > >
> > > > > > > Paul Aviles
> > > > > > > Nickel Networks
> > > > > > >
> > > > > > > -----Original Message-----
> > > > > > > From: Colin Jack [mailto:colin (at mark) mainline.co.uk]
> > > > > > > Sent: Monday, January 15, 2007 12:52 PM
> > > > > > > To: coba-e (at mark) bluequartz.org
> > > > > > > Subject: [coba-e:08568] Stemming returned undeliverables
> > > > > > from spoofed
> > > > > > > spam
> > > > > > >
> > > > > > > I'm looking for some ideas from the more experienced guys
> > > > > out there.
> > > > > > >
> > > > > > > We have a number of clients who are being flooded with
> > > > > > 'undeliverable'
> > > > > > > messages where a spammer has used their email address in
> > > > > the header
> > > > > > > for the
> > > > > > > From: field and they are getting all the bounces. Has
> > > > > > anybody any idea
> > > > > > > how I might help stem the flow - one guy is getting 500
> > > > > an hour and
> > > > > > > this has been going on for a week! Needless to say it is
> > > > > > not helping
> > > > > > > my server load either!
> > > > > > >
> > > > > > > Using BQ 4.6 ... patched up to date.
> > > > > > >
> > > > > > > Thankks in anticipation.
> > > > > > >
> > > > > > > Colin
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > >
> > > >
> > > >
> > >
> > >
> > >
> > >
> > >
> >
> >
> >
>