James Robertson wrote:
Recently we noticed an increase in junk and discovered that it's
coming from Hotmail (and to a lesser extent Yahoo).
The problem is that these spammers are smarter that the average spammer.
The don't spam flatout all the time (not to us anyway) and since the
mail comes from hotmail's servers and they use a Hotmail address
"<[EMAIL PROTECTED]> then they get by Postfix and Spamassassin
quite easily.
I have not tested it but I would imagine greylisting would fail since
hotmail's servers will do the normal thing and retry later (using same
sender address etc).
Most of what we have been getting is Drugs related junk so I increased
the scores in Spamassassin accordingly which has helped but some still
gets by based on different content in the messages and obvioulsy if
they chnage tactics and start doing weight loss etc then it will
probably get in.
We cannot block hotmail due to valid mail coming from there. Is there
a way in Postfix that could filter out this junk somehow?
Below are some examples
##########################################################
Microsoft Mail Internet Headers Version 2.0
Received: from mail.icfrith.com.au ([XXX.XXX.XXX.XXX]) by
icfmail1.icfrith.com.au with Microsoft SMTPSVC(5.0.2195.6713);
Tue, 19 Aug 2008 23:59:42 +1000
Received: from localhost (localhost.localdomain [127.0.0.1])
by mail.icfrith.com.au (Postfix) with ESMTP id DD64D2B959
for <[EMAIL PROTECTED]>; Tue, 19 Aug 2008 23:59:43
+1000 (EST)
X-Virus-Scanned: Debian amavisd-new at icfrith.com.au
X-Spam-Score: -0.144
X-Spam-Level:
X-Spam-Status: No, score=-0.144 required=5.31 tests=[BAYES_00=-2.599,
DCC_CHECK=2.17, DRUGS_ERECTILE=0.282, HTML_MESSAGE=0.001,
ONLINE_PHARMACY=0.001, TVD_VISIT_PHARMA=0.001]
Received: from mail.icfrith.com.au ([127.0.0.1])
by localhost (icfsydmxg-vm.icfrith.com.au [127.0.0.1])
(amavisd-new, port 10024)
with ESMTP id JLdoDGWcLqRX for <[EMAIL PROTECTED]>;
Tue, 19 Aug 2008 23:59:40 +1000 (EST)
Received: from blu0-omc3-s29.blu0.hotmail.com
(blu0-omc3-s29.blu0.hotmail.com [65.55.116.104])
by mail.icfrith.com.au (Postfix) with ESMTP id 00ED62B905
for <[EMAIL PROTECTED]>; Tue, 19 Aug 2008 23:59:34
+1000 (EST)
Received: from BLU135-W36 ([65.55.116.73]) by
blu0-omc3-s29.blu0.hotmail.com with Microsoft SMTPSVC(6.0.3790.3959);
Tue, 19 Aug 2008 06:59:27 -0700
Message-ID: <[EMAIL PROTECTED]>
Content-Type: multipart/alternative;
boundary="_605a643e-57e1-4566-b4f5-80149ef06c75_"
X-Originating-IP: [68.97.155.25]
From: Nancy Johnson <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Subject: Back into the youth - only with Viagra Professional
Date: Tue, 19 Aug 2008 13:59:26 +0000
Importance: High
MIME-Version: 1.0
X-OriginalArrivalTime: 19 Aug 2008 13:59:27.0695 (UTC)
FILETIME=[CB5F55F0:01C90203]
Return-Path: [EMAIL PROTECTED]
--_605a643e-57e1-4566-b4f5-80149ef06c75_
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
--_605a643e-57e1-4566-b4f5-80149ef06c75_
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
--_605a643e-57e1-4566-b4f5-80149ef06c75_--
#################################################################
Microsoft Mail Internet Headers Version 2.0
Received: from mail.icfrith.com.au ([XXX.XXX.XXX.XXX]) by
icfmail1.icfrith.com.au with Microsoft SMTPSVC(5.0.2195.6713);
Tue, 19 Aug 2008 20:55:59 +1000
Received: from localhost (localhost.localdomain [127.0.0.1])
by mail.icfrith.com.au (Postfix) with ESMTP id 5A7AC2B961
for <[EMAIL PROTECTED]>; Tue, 19 Aug 2008 20:56:00
+1000 (EST)
X-Virus-Scanned: Debian amavisd-new at icfrith.com.au
X-Spam-Score: 1.728
X-Spam-Level: *
X-Spam-Status: No, score=1.728 required=5.31 tests=[BAYES_50=0.001,
DRUGS_ERECTILE=0.282, FB_CIALIS_LEO3=1.441,
HTML_MESSAGE=0.001,
SUBJECT_DRUG_GAP_C=0.003]
Received: from mail.icfrith.com.au ([127.0.0.1])
by localhost (icfsydmxg-vm.icfrith.com.au [127.0.0.1])
(amavisd-new, port 10024)
with ESMTP id oFVqnG2CBkCi for <[EMAIL PROTECTED]>;
Tue, 19 Aug 2008 20:55:52 +1000 (EST)
Received: from blu0-omc2-s17.blu0.hotmail.com
(blu0-omc2-s17.blu0.hotmail.com [65.55.111.92])
by mail.icfrith.com.au (Postfix) with ESMTP id 6700E2B905
for <[EMAIL PROTECTED]>; Tue, 19 Aug 2008 20:55:45
+1000 (EST)
Received: from BLU118-W8 ([65.55.111.72]) by
blu0-omc2-s17.blu0.hotmail.com with Microsoft SMTPSVC(6.0.3790.3959);
Tue, 19 Aug 2008 03:55:42 -0700
Message-ID: <[EMAIL PROTECTED]>
Content-Type: multipart/alternative;
boundary="_de1bbbbe-6bd9-42f3-a8c2-16a3ba887632_"
X-Originating-IP: [119.141.38.224]
From: Nancy Taylor <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Subject: Amplify your sexual power with Soft Cialis.
Date: Tue, 19 Aug 2008 10:55:42 +0000
Importance: High
MIME-Version: 1.0
X-OriginalArrivalTime: 19 Aug 2008 10:55:42.0785 (UTC)
FILETIME=[20039310:01C901EA]
Return-Path: [EMAIL PROTECTED]
--_de1bbbbe-6bd9-42f3-a8c2-16a3ba887632_
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
--_de1bbbbe-6bd9-42f3-a8c2-16a3ba887632_
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
--_de1bbbbe-6bd9-42f3-a8c2-16a3ba887632_--
I sent this a little while ago and had some helpful responses but I had
an idea last night and would like some feedback.
Its easiest if I use an example.
[EMAIL PROTECTED] is valid email address
[EMAIL PROTECTED] is a spammer address.
[EMAIL PROTECTED] sends and email to [EMAIL PROTECTED]
The message is held with a timeout before its is purged from the hold
queue e.g 5 days becuase the domain is hotmail.com. and a identifier is
assiciated with the message somehow.
An email message is sent back to the address asking them to resend a
message with a key (specific words or characters in the subject line,
body or both).
The sender responds with the requested info.
The message is received and processed perhaps with procmail or similiar
which matches the key to the identifier and then releases the message
and marks the hotmail address as a valid one so it does not hold any
further emails from [EMAIL PROTECTED]
[EMAIL PROTECTED] sends junk mail to [EMAIL PROTECTED]
The message is held becuase the domain is hotmail.com and a identifier
is assiciated with the message.
An email message is sent back to the address asking them to resend a
message with a key (specific words or characters in the subject line or
body or both).
The spammer doesn't respond to the request and the mail is help for 5
dyas before being purged.
It could probably use a web interface running on the mail server the
sender could go to and even use a captcha or something........
I'm not sure if anything like this exists already and if it does could
someone please direct me to it.
Unfortunately I'm not a programmer (but I'm learning) so implementing
this would be a very long and laborious task for me.
Any suggestions or advise appreciated.
Thanks.
