same spam here, and ClamAV is kicking ass:
*Message ID: m1-99462-30667 Session: 7F3FB66EEBB8 Remote IP: 85.39.186.201 Subject: Ihre Mobilfunk - Rechnung vom 04.11.2014 im Anhang als PDF Sender: [email protected] <[email protected]> Recipients(s): [..] Virus Detected: 'Sanesecurity.Foxhole.Zip_pdf.UNOFFICIAL(ca2d76f66dbfb3f5770252a02bbe2bd8:17622)'* i would suggest you to implement AV check with Foxhole signatures if you haven't yet (and virus scan enabled for whitelisted as well) don't know if this will help but here is my log for this kind of spam: *Nov-04-14 12:11:15 m1-99462-30667 [Worker_1] [TLS-out] 85.39.186.201 <[email protected] <[email protected]>> to: [..] Message-Score: added 42 for DNSBL: neutral, 85.39.186.201 listed in l2.apews.org <http://l2.apews.org> psbl.surriel.com <http://psbl.surriel.com>, total score for this message is now 42* *Nov-04-14 12:11:16 m1-99462-30667 [Worker_1] [TLS-out] 85.39.186.201 <[email protected] <[email protected]>> to: **[..]* * Message-Score: added 20 for BombSubjectRe '[!empty string!]', total score for this message is now 62* *Nov-04-14 12:11:16 m1-99462-30667 [Worker_1] [TLS-out] 85.39.186.201 <[email protected] <[email protected]>> to: **[..] * *Message-Score: added 20 for invalid HELO: 'speedtouch.lan', total score for this message is now 82* *Nov-04-14 12:11:17 m1-99462-30667 [Worker_1] [TLS-out] 85.39.186.201 <[email protected] <[email protected]>> to: **[..]* * Message-Score: added 49 for Bayesian Probability: 0.99991, total score for this message is now 131* *Nov-04-14 12:11:17 m1-99462-30667 [Worker_1] [TLS-out] [MessageLimit] 85.39.186.201 <[email protected] <[email protected]>> to: [...] [spam found] (MessageScore 131, limit 50) [Ihre Mobilfunk Rechnung vom 04 11 2014 im Anhang als PDF] -> spam/Ihre_Mobilfunk_Rechnung_vom_04_11_2014_im_Anhang_a--846171.eml;* *Nov-04-14 12:14:32 m1-99462-30667 [Worker_1] [TLS-out] 85.39.186.201 <[email protected] <[email protected]>> to: [..] ClamAV: scanned 17622 bytes in file spam/Ihre_Mobilfunk_Rechnung_vom_04_11_2014_im_Anhang_a--846171.eml - FOUND Sanesecurity.Foxhole.Zip_pdf.UNOFFICIAL(ca2d76f66dbfb3f5770252a02bbe2bd8:17622)* *Nov-04-14 12:14:32 m1-99462-30667 [Worker_1] [TLS-out] 85.39.186.201 <[email protected] <[email protected]>> to: [..] Message-Score: added 50 (vdValencePB) for virus detected: 'Sanesecurity.Foxhole.Zip_pdf.UNOFFICIAL(ca2d76f66dbfb3f5770252a02bbe2bd8:17622)', total score for this message is now 181* so, it seems that my ASSP is doing its job in this specific case (even if ips, helos and addresses may change). you could try to see if, where and how the message gets scored and set some assp check mandatory even for whitelisted. choose the solution that fits your environment but don't focus on data that may vary a lot from mail to mail (ip, helo, senders...) regards, aqx On Tue, Nov 4, 2014 at 12:24 PM, Christian Leicht <[email protected]> wrote: > This time a lot of spam from vodafone goes through. There are bills > but clearly spam. > > I need to put @vodafone.de on the Whitelist. Some Users need to get > mails from Vodafone. > How can i prevet this? > > Christian > > > Return-Path: <[email protected]> > Delivered-To: [email protected] > Received: from it (localhost.localdomain [127.0.0.1]) > by xxx.xx (Postfix) with ESMTP id 6B4C4BD42CD > for <[email protected]>; Tue, 4 Nov 2014 12:13:50 +0100 (CET) > Received: from net-188-219-67-34.cust.vodafonedsl.it ([188.219.67.34] > helo=it) by xxx.xx with SMTP (2.4.4); 4 Nov 2014 12:13:43 +0100 > Received: from [87.8.33.15] (helo=hamlbovsaryex.zifhdwyoshqz.com) > by it with esmtpa (Exim 4.69) > (envelope-from ) > id 1MMAQY-7576zg-M9 > for [email protected]; Tue, 4 Nov 2014 12:13:56 +0100 > Received: from [11.84.9.50] (helo=jqougkild.lzdxhrpvrt.info) > by it with esmtpa (Exim 4.69) > (envelope-from ) > id 1MMJYC-5729ln-EX > for [email protected]; Tue, 4 Nov 2014 12:13:56 +0100 > Date: Tue, 4 Nov 2014 12:13:56 +0100 > From: <[email protected]> > To: <[email protected]> > Subject: Ihre Mobilfunk - Rechnung vom 04.11.2014 im Anhang als PDF > MIME-Version: 1.0 > X-Priority: 3 > Message-ID: <[email protected]> > Content-Type: multipart/mixed; > boundary="----=a__davjcp_26_00_13" > X-Assp-ID: xxx.xx wwl7-99630-05985 > X-Assp-Session: 7F6A806EA7D8 (mail 1) > X-Assp-Detected-RIP: 11.84.9.50, 87.8.33.15 > X-Assp-Source-IP: 11.84.9.50 > X-Assp-Envelope-From: [email protected] > X-Assp-Intended-For: xxx.xx > X-Assp-Original-Subject: Ihre Mobilfunk - Rechnung vom 04.11.2014 im > Anhang als PDF > X-Assp-Version: 2.4.4(14307) on xxx.xx > X-Assp-Delay: not delayed (whitelisted); 4 Nov 2014 12:13:52 +0100 > X-Assp-Whitelisted: Yes (whiteListedDomains '@vodafone.de') > > > ------------------------------------------------------------------------------ > _______________________________________________ > Assp-user mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/assp-user > -- "Madness, like small fish, runs in hosts, in vast numbers of instances." Nessuno mi pettina bene come il vento. ------------------------------------------------------------------------------ _______________________________________________ Assp-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/assp-user
