[toaster] qregex question
Hello all, We're receiving a lot of spam from domains like @0-0.com, @0800.com, @10-million-hits.com, these kind of things. Our toaster have toaster-patch including qregex-20040725.patch. Why putting this expression in badmailfrom doesn't reject anything? @[0-9]\*.* I'll want "filter all domains beginning with any digit, followed by whatever" Should I escape the dot too? I'll appreciate any advice regards _Abel
Re: [toaster] qregex question
On Wed, 2006-02-08 at 11:58 -0300, Abel Angel wrote: > Hello all, > > We're receiving a lot of spam from domains like @0-0.com, @0800.com, > @10-million-hits.com, these kind of things. > > Our toaster have toaster-patch including qregex-20040725.patch. > > Why putting this expression in badmailfrom doesn't reject anything? > > @[0-9]\*.* > > I'll want "filter all domains beginning with any digit, followed by whatever" > Should I escape the dot too? > > I'll appreciate any advice Are you using rblsmtpd? If not, I would suggest you set it up as probably at least 90% of that crap comes from dynamic IP's and open proxies, not to mention the known spam sources themselves. Shane
[toaster] spam from localhost ??
Dear All It is so strange that I got some spam. Its header does not has IP address, only localhost. We set smtp-auth according to the toaster. Following is the header: Return-Path: <[EMAIL PROTECTED]> Delivered-To: [EMAIL PROTECTED] Received: (qmail 25973 invoked by uid 89); 7 Feb 2006 08:44:44 - Received: by simscan 1.1.0 ppid: 25843, pid: 25952, t: 1.6100s scanners: attach: 1.1.0 clamav: 0.87.1/m:34/d:1183 spam: 3.1.0 Received: from localhost by mail.conco.com with SpamAssassin (version 3.1.0); Tue, 07 Feb 2006 16:44:44 +0800 From: "viagra" <[EMAIL PROTECTED]> To: Freddie <[EMAIL PROTECTED]> Subject: **SPAM** Viagra Date: Tue, 07 Feb 2006 15:32:58 -0500 Message-Id: <[EMAIL PROTECTED]> X-Spam-Flag: YES X-Spam-Checker-Version: SpamAssassin 3.1.0 (2005-09-13) on mail.conco.com X-Spam-Level: ** X-Spam-Status: Yes, score=35.0 required=10.0 tests=BAYES_99,DOMAIN_RATIO, FROM_ILLEGAL_CHARS,HEAD_ILLEGAL_CHARS,HTML_90_100,HTML_IMAGE_ONLY_28, HTML_IMAGE_RATIO_02,HTML_MESSAGE,HTML_TAG_EXIST_BGSOUND,HTML_WEB_BUGS, MIME_BOUND_DIGITS_15,MIME_QP_LONG_LINE,MPART_ALT_DIFF, MPART_ALT_DIFF_COUNT,NORMAL_HTTP_TO_IP,RCVD_HELO_IP_MISMATCH, RCVD_NUMERIC_HELO,SUBJ_ILLEGAL_CHARS,UNRESOLVED_TEMPLATE, X_MAILER_SPAM autolearn=spam version=3.1.0 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="--=_43E85DFC.E544ECA8" __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Re: [toaster] qregex question
On Feb 8, 2006, at 8:01 AM, Shane Chrisp wrote: @[0-9]\*.* This might be better : @[0-9].* I think \* means 'a literal *', because \ is an escape character. That's the way it is in some other regex implementations (Perl & PHP), anyway. alex .
[toaster] spam from localhost ??
Dear All It is so strange that I got some spam. Its header does not has IP address, only localhost. We set smtp-auth according to the toaster. Following is the header: Return-Path: <[EMAIL PROTECTED]> Delivered-To: [EMAIL PROTECTED] Received: (qmail 25973 invoked by uid 89); 7 Feb 2006 08:44:44 - Received: by simscan 1.1.0 ppid: 25843, pid: 25952, t: 1.6100s scanners: attach: 1.1.0 clamav: 0.87.1/m:34/d:1183 spam: 3.1.0 Received: from localhost by mail.conco.com with SpamAssassin (version 3.1.0); Tue, 07 Feb 2006 16:44:44 +0800 From: "viagra" <[EMAIL PROTECTED]> To: Freddie <[EMAIL PROTECTED]> Subject: **SPAM** Viagra Date: Tue, 07 Feb 2006 15:32:58 -0500 Message-Id: <[EMAIL PROTECTED]> X-Spam-Flag: YES X-Spam-Checker-Version: SpamAssassin 3.1.0 (2005-09-13) on mail.conco.com X-Spam-Level: ** X-Spam-Status: Yes, score=35.0 required=10.0 tests=BAYES_99,DOMAIN_RATIO, FROM_ILLEGAL_CHARS,HEAD_ILLEGAL_CHARS,HTML_90_100,HTML_IMAGE_ONLY_28, HTML_IMAGE_RATIO_02,HTML_MESSAGE,HTML_TAG_EXIST_BGSOUND,HTML_WEB_BUGS, MIME_BOUND_DIGITS_15,MIME_QP_LONG_LINE,MPART_ALT_DIFF, MPART_ALT_DIFF_COUNT,NORMAL_HTTP_TO_IP,RCVD_HELO_IP_MISMATCH, RCVD_NUMERIC_HELO,SUBJ_ILLEGAL_CHARS,UNRESOLVED_TEMPLATE, X_MAILER_SPAM autolearn=spam version=3.1.0 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="--=_43E85DFC.E544ECA8" __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Re: [toaster] spam from localhost ??
On Wed, 8 Feb 2006 07:28:51 -0800 (PST) Ernest Ho <[EMAIL PROTECTED]> wrote: > It is so strange that I got some spam. Its header does > not has IP address, only localhost. That's impossible If the message comes via SMTP. > We set smtp-auth according to the toaster. Following is the header: > > Return-Path: <[EMAIL PROTECTED]> > Delivered-To: [EMAIL PROTECTED] > Received: (qmail 25973 invoked by uid 89); 7 Feb 2006 > 08:44:44 - > Received: by simscan 1.1.0 ppid: 25843, pid: 25952, t: > 1.6100s > scanners: attach: 1.1.0 clamav: > 0.87.1/m:34/d:1183 spam: 3.1.0 > Received: from localhost by mail.conco.com > with SpamAssassin (version 3.1.0); > Tue, 07 Feb 2006 16:44:44 +0800 Very funny, are the above headers complete, unedited? Please check the message source again and post the complete "Received:" headers. Eventually: 1. Do you override SMTP-auth for 127.0.0.1 ? 2. Do you host on that system some form-mailer which can be abused via http? And: 0. Don't resend messages to the list, it's annoying -- Adrian Pircalabu -- This message was scanned for spam and viruses by BitDefender. For more information please visit http://www.bitdefender.com/
Re: [toaster] qregex question
On Wed, 8 Feb 2006, Shane Chrisp wrote: > Are you using rblsmtpd? If not, I would suggest you set it up as > probably at least 90% of that crap comes from dynamic IP's and open > proxies, not to mention the known spam sources themselves. Thanks Shane, yes, I'm using rblsmtpd with relays.ordb.org, cbl.abuseat.org and sbl-xbl.spamhaus.org and it helped a lot; i cannot use dnsbl list dsbl.org because the profile of users using this server. Besides of that, my users doesn't want to receive anything from domains like 1-800eatshit.com whose MX records are not listed in any DNSBL list It's a temporary measure meanwhile we're deploying better filtering ways, for the moment I'll receive your mails from 2000cn.com.au through the list :), excuse me and thanks for your advice. regards __Abel.
Re: [toaster] qregex question
On Wed, 8 Feb 2006, Alex Dean wrote: > On Feb 8, 2006, at 8:01 AM, Shane Chrisp wrote: > > > @[0-9]\*.* > > This might be better : @[0-9].* > > I think \* means 'a literal *', because \ is an escape character. > That's the way it is in some other regex implementations (Perl & > PHP), anyway. Indeed Alex, it works like you posted; and I can see that it's really greedy regexp; it matches thinks like [EMAIL PROTECTED], @01-stay-in-paris-hotels.com and @0-8-15.zzn.com without escaping anything more. Maybe I'll try to use anchors to refine this regexp. Thanks for your tip regards. __Abel
Re: [toaster] qregex question
On Feb 8, 2006, at 9:53 AM, Abel Angel wrote: On Wed, 8 Feb 2006, Alex Dean wrote: On Feb 8, 2006, at 8:01 AM, Shane Chrisp wrote: @[0-9]\*.* This might be better : @[0-9].* Indeed Alex, it works like you posted; and I can see that it's really greedy regexp; You should test to be sure, but you might only need '@[0-9]' (quotes are not part of regexp). That means 'an @ followed by any digit', which seems to be what you're looking for. Depending on the regexp engine, you can also write that as '@\d'. The additional '.*' means 'match anything' (more or less), and I don't think that leaving it off will really change anything. alex .
[toaster] chkuser
Is there a way to close a connection after 3 or 4 invalid mailboxes are reached on a single connection? When spammers hit my production server I see multiple emails in the log account that if they could be blocked after 3 or 4 invalid address are reached. Thanks Dennis
