RE: [qmailtoaster] spammer / Boom email
_ From: Jake Vickers [mailto:j...@qmailtoaster.com] Sent: Monday, August 16, 2010 8:39 PM To: qmailtoaster-list@qmailtoaster.com Subject: Re: [qmailtoaster] spammer / Boom email On 08/12/2010 09:42 PM, Hajid wrote: X-Spam-Status: No, score=-66.8 required=5.0 tests=AWL,BAYES_99, FH_DATE_PAST_20XX,FH_FAKE_RCVD_LINE,FORGED_HOTMAIL_RCVD2,INVALID_MSGID, MIME_BOUND_DD_DIGITS,MIME_QP_LONG_LINE,MISSING_HEADERS,MISSING_MIMEOLE, MSGID_MULTIPLE_AT,RCVD_DOUBLE_IP_SPAM,RCVD_HELO_IP_MISMATCH,RCVD_IN_PBL, RCVD_IN_SORBS_DUL,RCVD_NUMERIC_HELO,RDNS_NONE,SUBJECT_NEEDS_ENCODING, SUBJ_ILLEGAL_CHARS,TVD_SPACE_RATIO,USER_IN_WHITELIST autolearn=no The problem appears to be here: USER_IN_WHITELIST You have the user defined in your local.cf file as whitelisted, so they start with a -100 score. As spamassassin adds together all of the positive scores, they end up with a -66.8, so this user will never have their mail deleted as spam. Could it be a wildcard whitelist for hotmail in local.cf? Because I doubt this user would have been manually added to local.cf. Bharath Possible. It would only be guessing until the local.cf is provided. At local.cf I added whitelist_from *...@hotmail.com. My others question, why this server can be as spammer. This server not openrelay.i still looking for this. You whitelisted everyone at hotmail.com, so every email that comes from someone at hotmail.com starts with a score of -100 (note that is a NEGATIVE sign before the 100). So the incoming email hit all of these rules: FH_DATE_PAST_20XX,FH_FAKE_RCVD_LINE,FORGED_HOTMAIL_RCVD2,INVALID_MSGID, MIME_BOUND_DD_DIGITS,MIME_QP_LONG_LINE,MISSING_HEADERS,MISSING_MIMEOLE, MSGID_MULTIPLE_AT,RCVD_DOUBLE_IP_SPAM,RCVD_HELO_IP_MISMATCH,RCVD_IN_PBL, RCVD_IN_SORBS_DUL,RCVD_NUMERIC_HELO,RDNS_NONE,SUBJECT_NEEDS_ENCODING, SUBJ_ILLEGAL_CHARS,TVD_SPACE_RATIO Which added to a score of 33.2 which would normally cause the message to be deleted, but since all users at hotmail.com start with a -100, it only added the score to -66.8, which is still 71.8 points away from even being marked as spam. To stop these types of messages you need to remove the whitelisting for hotmail.com (possibly only whitelist individual addresses?) and possibly adjust your spam rules and their scoring. The system worked as designed. It accepted a message (you have not shown us enough of the headers to really know what was going on), and scored it exactly how you told it to score messages. After remove whitelist_from *...@hotmail.com. At local.cf everything ok. When I look at /var/log/qmail/smtp/current I got this. Why by adding whitelist_from at local.cf, can do smtp relay at server ? @40004c6df0b53ad9549c CHKUSER rejected relaying: from sougepeq...@hotmail.com:: remote 202.29.22.95:unknown:118.160.157.12 rcpt kuang2hs...@yahoo.com.tw : client not allowed to relay
Re: [qmailtoaster] spammer / Boom email
On 08/12/2010 09:42 PM, Hajid wrote: X-Spam-Status: No, score=-66.8 required=5.0 tests=AWL,BAYES_99, FH_DATE_PAST_20XX,FH_FAKE_RCVD_LINE,FORGED_HOTMAIL_RCVD2,INVALID_MSGID, MIME_BOUND_DD_DIGITS,MIME_QP_LONG_LINE,MISSING_HEADERS,MISSING_MIMEOLE, MSGID_MULTIPLE_AT,RCVD_DOUBLE_IP_SPAM,RCVD_HELO_IP_MISMATCH,RCVD_IN_PBL, RCVD_IN_SORBS_DUL,RCVD_NUMERIC_HELO,RDNS_NONE,SUBJECT_NEEDS_ENCODING, SUBJ_ILLEGAL_CHARS,TVD_SPACE_RATIO,USER_IN_WHITELIST autolearn=no The problem appears to be here: USER_IN_WHITELIST You have the user defined in your local.cf file as whitelisted, so they start with a -100 score. As spamassassin adds together all of the positive scores, they end up with a -66.8, so this user will never have their mail deleted as spam. Could it be a wildcard whitelist for hotmail in local.cf? Because I doubt this user would have been manually added to local.cf. Bharath Possible. It would only be guessing until the local.cf is provided. At local.cf I added whitelist_from *...@hotmail.com mailto:*...@hotmail.com. My others question, why this server can be as spammer. This server not openrelay.i still looking for this. You whitelisted everyone at hotmail.com, so every email that comes from someone at hotmail.com starts with a score of -100 (note that is a NEGATIVE sign before the 100). So the incoming email hit all of these rules: FH_DATE_PAST_20XX,FH_FAKE_RCVD_LINE,FORGED_HOTMAIL_RCVD2,INVALID_MSGID, MIME_BOUND_DD_DIGITS,MIME_QP_LONG_LINE,MISSING_HEADERS,MISSING_MIMEOLE, MSGID_MULTIPLE_AT,RCVD_DOUBLE_IP_SPAM,RCVD_HELO_IP_MISMATCH,RCVD_IN_PBL, RCVD_IN_SORBS_DUL,RCVD_NUMERIC_HELO,RDNS_NONE,SUBJECT_NEEDS_ENCODING, SUBJ_ILLEGAL_CHARS,TVD_SPACE_RATIO Which added to a score of 33.2 which would normally cause the message to be deleted, but since all users at hotmail.com start with a -100, it only added the score to -66.8, which is still 71.8 points away from even being marked as spam. To stop these types of messages you need to remove the whitelisting for hotmail.com (possibly only whitelist individual addresses?) and possibly adjust your spam rules and their scoring. The system worked as designed. It accepted a message (you have not shown us enough of the headers to really know what was going on), and scored it exactly how you told it to score messages.
Re: [qmailtoaster] spammer / Boom email
On 08/12/2010 03:33 AM, Bharath Chari wrote: On Thursday 12 August 2010 11:18 AM, Jake Vickers wrote: On 08/11/2010 03:31 AM, Hajid wrote: X-Spam-Status: No, score=-66.8 required=5.0 tests=AWL,BAYES_99, FH_DATE_PAST_20XX,FH_FAKE_RCVD_LINE,FORGED_HOTMAIL_RCVD2,INVALID_MSGID, MIME_BOUND_DD_DIGITS,MIME_QP_LONG_LINE,MISSING_HEADERS,MISSING_MIMEOLE, MSGID_MULTIPLE_AT,RCVD_DOUBLE_IP_SPAM,RCVD_HELO_IP_MISMATCH,RCVD_IN_PBL, RCVD_IN_SORBS_DUL,RCVD_NUMERIC_HELO,RDNS_NONE,SUBJECT_NEEDS_ENCODING, SUBJ_ILLEGAL_CHARS,TVD_SPACE_RATIO,USER_IN_WHITELIST autolearn=no The problem appears to be here: USER_IN_WHITELIST You have the user defined in your local.cf file as whitelisted, so they start with a -100 score. As spamassassin adds together all of the positive scores, they end up with a -66.8, so this user will never have their mail deleted as spam. Could it be a wildcard whitelist for hotmail in local.cf? Because I doubt this user would have been manually added to local.cf. Bharath Possible. It would only be guessing until the local.cf is provided.
RE: [qmailtoaster] spammer / Boom email
X-Spam-Status: No, score=-66.8 required=5.0 tests=AWL,BAYES_99, FH_DATE_PAST_20XX,FH_FAKE_RCVD_LINE,FORGED_HOTMAIL_RCVD2,INVALID_MSGID, MIME_BOUND_DD_DIGITS,MIME_QP_LONG_LINE,MISSING_HEADERS,MISSING_MIMEOLE, MSGID_MULTIPLE_AT,RCVD_DOUBLE_IP_SPAM,RCVD_HELO_IP_MISMATCH,RCVD_IN_PBL, RCVD_IN_SORBS_DUL,RCVD_NUMERIC_HELO,RDNS_NONE,SUBJECT_NEEDS_ENCODING, SUBJ_ILLEGAL_CHARS,TVD_SPACE_RATIO,USER_IN_WHITELIST autolearn=no The problem appears to be here: USER_IN_WHITELIST You have the user defined in your local.cf file as whitelisted, so they start with a -100 score. As spamassassin adds together all of the positive scores, they end up with a -66.8, so this user will never have their mail deleted as spam. Could it be a wildcard whitelist for hotmail in local.cf? Because I doubt this user would have been manually added to local.cf. Bharath Possible. It would only be guessing until the local.cf is provided. At local.cf I added whitelist_from *...@hotmail.com. My others question, why this server can be as spammer. This server not openrelay.i still looking for this.
[qmailtoaster] spammer / Boom email
Any body could please help me how to stop this email. ./qmHandle -m573640 -- MESSAGE NUMBER 573640 -- Received: (qmail 7968 invoked by uid 89); 11 Aug 2010 05:44:26 - Received: by simscan 1.3.1 ppid: 7893, pid: 7940, t: 1.2025s scanners: attach: 1.3.1 clamav: 0.94 /m: spam: 3.2.5 X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on mail.avtour.com X-Spam-Level: X-Spam-Status: No, score=-66.8 required=5.0 tests=AWL,BAYES_99, FH_DATE_PAST_20XX,FH_FAKE_RCVD_LINE,FORGED_HOTMAIL_RCVD2,INVALID_MSGID, MIME_BOUND_DD_DIGITS,MIME_QP_LONG_LINE,MISSING_HEADERS,MISSING_MIMEOLE, MSGID_MULTIPLE_AT,RCVD_DOUBLE_IP_SPAM,RCVD_HELO_IP_MISMATCH,RCVD_IN_PBL, RCVD_IN_SORBS_DUL,RCVD_NUMERIC_HELO,RDNS_NONE,SUBJECT_NEEDS_ENCODING, SUBJ_ILLEGAL_CHARS,TVD_SPACE_RATIO,USER_IN_WHITELIST autolearn=no version=3.2.5 Received: from unknown (HELO 202.29.226.195) (118.167.134.121) by mail with SMTP; 11 Aug 2010 05:44:25 - Received-SPF: softfail (mail: transitioning SPF record at spf-d.hotmail.com does not designate 118.167.134.121 as permitted sender) Received: from 128.90.172.176 by 200.90.174.88; Wed, 11 Aug 2010 13:44:24 +0800 Received: from 174.172.104.212 by 49.38.224.152; Wed, 11 Aug 2010 13:44:24 +0800 Received: from 18.156.145.204 by 40.120.66.152; Wed, 11 Aug 2010 13:44:24 +0800 Received: from 253.73.206.160 by 146.80.123.197; Wed, 11 Aug 2010 13:44:24 +0800 Message-ID: Wed, 11 Aug 2010 13:44:24 +0800shi...@ms11.hinet.net, r...@hotmail.com From: Rocco Boykin glfl83...@hotmail.com Reply-To: Rocco Boykin itidgh483...@hotmail.com Subject: ¤â¾÷¥Ö®M«È¨î¤Æ Date: Wed, 11 Aug 2010 13:44:24 +0800 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary=--20220610593110575
RE: [qmailtoaster] spammer / Boom email
Looks like using Spamdyke with RDNS enabled would have stopped it. Doesnt look like the sending IP has a reverse DNS (PTR) entry. All Legit mail servers should have a reverse DNS entry Their IP should resolve to *something*. That setting alone will stop 60% of likely spam, maybe more. Michael J. Colvin NorCal Internet Services http://www.norcalisp.com/ www.norcalisp.com (916) 864- _ From: Hajid [mailto:ha...@masolusi.com] Sent: Wednesday, August 11, 2010 12:32 AM To: qmailtoaster-list@qmailtoaster.com Subject: [qmailtoaster] spammer / Boom email Any body could please help me how to stop this email. ./qmHandle -m573640 -- MESSAGE NUMBER 573640 -- Received: (qmail 7968 invoked by uid 89); 11 Aug 2010 05:44:26 - Received: by simscan 1.3.1 ppid: 7893, pid: 7940, t: 1.2025s scanners: attach: 1.3.1 clamav: 0.94 /m: spam: 3.2.5 X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on mail.avtour.com X-Spam-Level: X-Spam-Status: No, score=-66.8 required=5.0 tests=AWL,BAYES_99, FH_DATE_PAST_20XX,FH_FAKE_RCVD_LINE,FORGED_HOTMAIL_RCVD2,INVALID_MSGID, MIME_BOUND_DD_DIGITS,MIME_QP_LONG_LINE,MISSING_HEADERS,MISSING_MIMEOLE, MSGID_MULTIPLE_AT,RCVD_DOUBLE_IP_SPAM,RCVD_HELO_IP_MISMATCH,RCVD_IN_PBL, RCVD_IN_SORBS_DUL,RCVD_NUMERIC_HELO,RDNS_NONE,SUBJECT_NEEDS_ENCODING, SUBJ_ILLEGAL_CHARS,TVD_SPACE_RATIO,USER_IN_WHITELIST autolearn=no version=3.2.5 Received: from unknown (HELO 202.29.226.195) (118.167.134.121) by mail with SMTP; 11 Aug 2010 05:44:25 - Received-SPF: softfail (mail: transitioning SPF record at spf-d.hotmail.com does not designate 118.167.134.121 as permitted sender) Received: from 128.90.172.176 by 200.90.174.88; Wed, 11 Aug 2010 13:44:24 +0800 Received: from 174.172.104.212 by 49.38.224.152; Wed, 11 Aug 2010 13:44:24 +0800 Received: from 18.156.145.204 by 40.120.66.152; Wed, 11 Aug 2010 13:44:24 +0800 Received: from 253.73.206.160 by 146.80.123.197; Wed, 11 Aug 2010 13:44:24 +0800 Message-ID: Wed, 11 Aug 2010 13:44:24 +0800shi...@ms11.hinet.net, r...@hotmail.com From: Rocco Boykin glfl83...@hotmail.com Reply-To: Rocco Boykin itidgh483...@hotmail.com Subject: ¤â¾÷¥Ö®M«È¨î¤Æ Date: Wed, 11 Aug 2010 13:44:24 +0800 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary=--20220610593110575 image001.jpg
RE: [qmailtoaster] spammer / Boom email
How to tracking this problem? Im looking the sender who doing this spam. _ From: Michael Colvin [mailto:mcol...@norcalisp.com] Sent: Wednesday, August 11, 2010 3:24 PM To: qmailtoaster-list@qmailtoaster.com Subject: RE: [qmailtoaster] spammer / Boom email Looks like using Spamdyke with RDNS enabled would have stopped it. Doesnt look like the sending IP has a reverse DNS (PTR) entry. All Legit mail servers should have a reverse DNS entry Their IP should resolve to *something*. That setting alone will stop 60% of likely spam, maybe more. Michael J. Colvin NorCal Internet Services http://www.norcalisp.com/ www.norcalisp.com (916) 864- _ From: Hajid [mailto:ha...@masolusi.com] Sent: Wednesday, August 11, 2010 12:32 AM To: qmailtoaster-list@qmailtoaster.com Subject: [qmailtoaster] spammer / Boom email Any body could please help me how to stop this email. ./qmHandle -m573640 -- MESSAGE NUMBER 573640 -- Received: (qmail 7968 invoked by uid 89); 11 Aug 2010 05:44:26 - Received: by simscan 1.3.1 ppid: 7893, pid: 7940, t: 1.2025s scanners: attach: 1.3.1 clamav: 0.94 /m: spam: 3.2.5 X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on mail.avtour.com X-Spam-Level: X-Spam-Status: No, score=-66.8 required=5.0 tests=AWL,BAYES_99, FH_DATE_PAST_20XX,FH_FAKE_RCVD_LINE,FORGED_HOTMAIL_RCVD2,INVALID_MSGID, MIME_BOUND_DD_DIGITS,MIME_QP_LONG_LINE,MISSING_HEADERS,MISSING_MIMEOLE, MSGID_MULTIPLE_AT,RCVD_DOUBLE_IP_SPAM,RCVD_HELO_IP_MISMATCH,RCVD_IN_PBL, RCVD_IN_SORBS_DUL,RCVD_NUMERIC_HELO,RDNS_NONE,SUBJECT_NEEDS_ENCODING, SUBJ_ILLEGAL_CHARS,TVD_SPACE_RATIO,USER_IN_WHITELIST autolearn=no version=3.2.5 Received: from unknown (HELO 202.29.226.195) (118.167.134.121) by mail with SMTP; 11 Aug 2010 05:44:25 - Received-SPF: softfail (mail: transitioning SPF record at spf-d.hotmail.com does not designate 118.167.134.121 as permitted sender) Received: from 128.90.172.176 by 200.90.174.88; Wed, 11 Aug 2010 13:44:24 +0800 Received: from 174.172.104.212 by 49.38.224.152; Wed, 11 Aug 2010 13:44:24 +0800 Received: from 18.156.145.204 by 40.120.66.152; Wed, 11 Aug 2010 13:44:24 +0800 Received: from 253.73.206.160 by 146.80.123.197; Wed, 11 Aug 2010 13:44:24 +0800 Message-ID: Wed, 11 Aug 2010 13:44:24 +0800shi...@ms11.hinet.net, r...@hotmail.com From: Rocco Boykin glfl83...@hotmail.com Reply-To: Rocco Boykin itidgh483...@hotmail.com Subject: ¤â¾÷¥Ö®M«È¨î¤Æ Date: Wed, 11 Aug 2010 13:44:24 +0800 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary=--20220610593110575 image001.jpg
Re: [qmailtoaster] spammer / Boom email
On 08/11/2010 03:31 AM, Hajid wrote: Any body could please help me how to stop this email. ./qmHandle -m573640 -- MESSAGE NUMBER 573640 -- Received: (qmail 7968 invoked by uid 89); 11 Aug 2010 05:44:26 - Received: by simscan 1.3.1 ppid: 7893, pid: 7940, t: 1.2025s scanners: attach: 1.3.1 clamav: 0.94 /m: spam: 3.2.5 X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on mail.avtour.com X-Spam-Level: X-Spam-Status: No, score=-66.8 required=5.0 tests=AWL,BAYES_99, FH_DATE_PAST_20XX,FH_FAKE_RCVD_LINE,FORGED_HOTMAIL_RCVD2,INVALID_MSGID, MIME_BOUND_DD_DIGITS,MIME_QP_LONG_LINE,MISSING_HEADERS,MISSING_MIMEOLE, MSGID_MULTIPLE_AT,RCVD_DOUBLE_IP_SPAM,RCVD_HELO_IP_MISMATCH,RCVD_IN_PBL, RCVD_IN_SORBS_DUL,RCVD_NUMERIC_HELO,RDNS_NONE,SUBJECT_NEEDS_ENCODING, SUBJ_ILLEGAL_CHARS,TVD_SPACE_RATIO,USER_IN_WHITELIST autolearn=no version=3.2.5 Received: from unknown (HELO 202.29.226.195) (118.167.134.121) by mail with SMTP; 11 Aug 2010 05:44:25 - Received-SPF: softfail (mail: transitioning SPF record at spf-d.hotmail.com does not designate 118.167.134.121 as permitted sender) Received: from 128.90.172.176 by 200.90.174.88; Wed, 11 Aug 2010 13:44:24 +0800 Received: from 174.172.104.212 by 49.38.224.152; Wed, 11 Aug 2010 13:44:24 +0800 Received: from 18.156.145.204 by 40.120.66.152; Wed, 11 Aug 2010 13:44:24 +0800 Received: from 253.73.206.160 by 146.80.123.197; Wed, 11 Aug 2010 13:44:24 +0800 Message-ID: Wed, 11 Aug 2010 13:44:24 +0800shi...@ms11.hinet.net, r...@hotmail.com From: Rocco Boykin glfl83...@hotmail.com Reply-To: Rocco Boykin itidgh483...@hotmail.com Subject: ¤â¾÷¥Ö®M«È¨î¤Æ Date: Wed, 11 Aug 2010 13:44:24 +0800 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary=--20220610593110575 The problem appears to be here: USER_IN_WHITELIST You have the user defined in your local.cf file as whitelisted, so they start with a -100 score. As spamassassin adds together all of the positive scores, they end up with a -66.8, so this user will never have their mail deleted as spam.