>The domain names look all like junk/senseless domain names used by spammers. intentwishes.com: If this were the case then it would mean that the spammer also has control of the DNS servers responsible for this domains IP address as there is a reverse DNS record. I would not be surprised if they did have control as the block of IP addresses where this is coming from is assigned to: The Education Network of Ontario There is an spf record fro this domain, but it is not for this machine, so blocking on an invalid spf record should stop this spam.
Roger On 9/18/07, Len Conrad <[EMAIL PROTECTED]> wrote: > > This won't catch a lot, but it could give you IPs or Class C's to > block. I noted some stuff getting through to me where a header was: > > x: ZRlJFRUtJVEBCUkVOREFTQ1JJVkVORVIuQ09NZ > > ....probably some kind of spam tracking code. > > and FROM: was illegal stuff (carat is illegal in sender field): > > from=<[EMAIL PROTECTED]> > > in header_checks.regep: > > /(^x: .*)/ DISCARD x: header = "$1" > > > the $1 write the expression to the log line. If you want to test, > replace DISCARD with WARN or HOLD > > Here's a command to report hits by PTR[ip] sorted by IP: > > egrep -i "discard:.*x: header" /var/log/maillog | cut -d ";" -f 1 | > awk '{print $NF}' | sort -fn | uniq -ic | sort -t[ -k2 > > 1 flail03.intentwishes.com[205.150.40.18] > 1 flail04.intentwishes.com[205.150.40.19] > 1 flail05.intentwishes.com[205.150.40.20] > 1 flail06.intentwishes.com[205.150.40.21] > 3 flail07.intentwishes.com[205.150.40.22] > 3 flail08.intentwishes.com[205.150.40.23] > 1 flail09.intentwishes.com[205.150.40.24] > 1 alpha02.fimaan.com[207.139.124.131] > 6 great06.awareintentions.com[208.76.108.71] > 10 great07.awareintentions.com[208.76.108.72] > 16 great08.awareintentions.com[208.76.108.73] > 14 great09.awareintentions.com[208.76.108.74] > 13 great10.awareintentions.com[208.76.108.75] > 2 allotmentmead.com[208.77.224.176] > 2 additionafield.com[208.77.224.179] > 1 liablecleanup.com[208.77.224.181] > 1 undersilvery.com[208.77.224.182] > 2 flare1.loyalelites.com[209.205.34.132] > 1 flare2.loyalelites.com[209.205.34.133] > 1 flail12.intentwishes.com[216.94.105.138] > 2 flail15.intentwishes.com[216.94.105.141] > 1 unknown[216.94.105.6] > 2 colorful50.newlyfoundsight.com[216.94.187.77] > 2 colorful49.newlyfoundsight.com[216.94.187.78] > 3 colorful48.newlyfoundsight.com[216.94.187.79] > 1 colorful47.newlyfoundsight.com[216.94.187.80] > 3 colorful46.newlyfoundsight.com[216.94.187.81] > 1 unknown[216.94.241.131] > 2 general38.treasuredidea.com[216.94.244.81] > 2 general35.treasuredidea.com[216.94.244.84] > 1 general34.treasuredidea.com[216.94.244.85] > 1 general33.treasuredidea.com[216.94.244.86] > 1 general32.treasuredidea.com[216.94.244.87] > 1 general29.treasuredidea.com[216.94.244.90] > 1 general28.treasuredidea.com[216.94.244.91] > 1 general25.treasuredidea.com[216.94.244.94] > 1 general24.treasuredidea.com[216.94.244.95] > 1 general23.treasuredidea.com[216.94.244.96] > 1 general22.treasuredidea.com[216.94.244.97] > 2 general20.treasuredidea.com[216.94.244.99] > > The domain names look all like junk/senseless domain names used by > spammers. > > Len > > > -- Do you like it hot? http://www.spicymama.com Hot Pepper/BBQ/Wing sauce for those who like it hot.