Getting hammered by backscatter
We use zimbra OSS on SLES10 SP1. Zimbra has spamassassin built-in. At the present time, my mailbox is filled with backscatter; getting around 10 a minute since 4:30 today. I have postfix backscatter rules in postfix of zimbra, http://www.postfix.org/BACKSCATTER_README.html#real but still getting pounded. Here is the header from on such mail: This message was created automatically by mail delivery software. A message that you sent could not be delivered to one or more of its recipients. This is a permanent error. The following address(es) failed: [EMAIL PROTECTED] SMTP error from remote mail server after RCPT TO:[EMAIL PROTECTED] : host relay1.tm.odessa.ua [195.66.204.50]: 511 sorry, no mailbox here by that name (#5.1.1 - chkuser) -- This is a copy of the message, including all the headers. -- Return-path: [EMAIL PROTECTED] Received: from chello089074205165.chello.pl ([89.74.205.165]) by wifi-router.tm.odessa.ua with esmtp (Exim 4.69 (FreeBSD)) (envelope-from [EMAIL PROTECTED]) id 1KvJP6-000Eho-L0 for [EMAIL PROTECTED]; Thu, 30 Oct 2008 00:20:42 +0200 Message-ID: [EMAIL PROTECTED] From: =?koi8-r?B?4c3X0s/Tycog4czT2c7Cwco=?= [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: =?koi8-r?B?5dfSz9DFytPLwdEgzsXExczRIMvB3sXT1NfB?= Date: Wed, 29 Oct 2008 20:30:54 + MIME-Version: 1.0 Content-Type: multipart/alternative; boundary==_NextPart_000_0004_01C93A14.03BA381D X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2720.3000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2727.1300 This is a multi-part message in MIME format. --=_NextPart_000_0004_01C93A14.03BA381D Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: quoted-printable Can someone please help me stop this? A while back, there was a thread that pointed to a website, backscatter.org or something like that, that we used that since the upgrade did a wonderful job. Anyone remember that web site?
Problems with the email adress of our company
Hi there, we have some problems with the email-address of our company. When we write emails to people with a [EMAIL PROTECTED] address, the receiver won't get the email because it's in the spam folder. Gmx's support told us that they use spam assassin. Can you help us? Can you verify that we are no spam but a serious company? Or is it gmx's business to do so? Thank you so much! Marie Licht __ Dipl.-Ing. (Geodäsie Geoinformatik) Maria Gabriele Licht RSS - Remote Sensing Solutions GmbH Büro München Wörthstr. 49 81667 München Tel.: +49 89 48954765 Fax: +49 89 48954767 Geschäftsführer: Prof. Dr. Florian Siegert Registergericht: Amtsgericht Potsdam Handelsregister: HRB 17931 P Umsatzsteuer: ID-Nr. DE 193162464 mailto:[EMAIL PROTECTED] [EMAIL PROTECTED] http://www.rssgmbh.de/ www.rssgmbh.de http://www.reality-maps.de/ www.reality-maps.de __ Aktuelles bei RSS: NEU! 3D-Landkarten Tegernseer und Schlierseer Berge in 3D und Isarwinkel 3D Zugspitze 3D: Ab sofort ist die 2. Auflage erhältlich Juli 2008: Die Doppel-DVD König Ludwig II. - Schlösser in 3D wird in zweisprachigen (englisch/deutsch) Einzel-DVDs herausgegeben -Disclaimer- Die in dieser E-Mail und den dazugehoerigen Anhaengen (die Nachricht) enthaltenen Informationen sind nur fuer den Adressaten bestimmt und koennen vertrauliche und/oder rechtlich geschuetzte Informationen enthalten. Sollten Sie die Nachricht irrtuemlich erhalten haben, loeschen Sie die Nachricht bitte und benachrichtigen Sie den Absender, ohne die Nachricht zu kopieren oder zu verteilen oder ihren Inhalt an andere Personen weiterzugeben. Ausser bei Vorsatz oder grober Fahrlaessigkeit schliessen wir jegliche Haftung fuer Verluste oder Schaeden aus, die durch virenbefallene Software oder E-Mails verursacht werden. -Disclaimer- The information contained in this e-mail and any attachments (the message) is intended for the addressee only and may contain confidential and/or privileged information. If you have received the message by mistake please delete it and notify the sender and do not copy or distribute it or disclose its contents to anyone. Except in case of gross negligence or wilful misconduct we accept no liability for any loss or damage caused by software or e-mail viruses.
Re: Problems with the email adress of our company
Greg Troxel wrote: we have some problems with the email-address of our company. When we write emails to people with a [EMAIL PROTECTED] address, the receiver won't get the email because it's in the spam folder. Gmx's support told us that they use spam assassin. Can you help us? Can you verify that we are no spam but a serious company? Or is it gmx's business to do so? Thank you so much! Marie Licht I will assume that you are finding substantially all mail filtered by gmx, and that the mail is similar to the one you sent to the list (rather than some sort of newsletter or advertising, which is an entirely different story). While it is gmx's responsibility to deal with what appears to be incorrect filtering, many people use spamassassin and whatever is happening at gmx is likely to happen elsewhere. You will almost certainly either need to study the documentation at http://spamassassin.apache.org/ or get help from someone who knows it in order to fully understand this message, but I hope it will make sense anyway. I ran your mail through spamassassin with the -t option, asking it to explain which tests fired and why, and the resulting scores. Your basic problem is that rssgmbh is a domain name with 7 non-vowel characters in a row. The following spamassassin rule detects domains with 7 or more non-vowel characters: header FROM_DOMAIN_NOVOWELFrom =~ /[EMAIL PROTECTED]/i describe FROM_DOMAIN_NOVOWEL From: domain has series of non-vowel letters Note: there's already a bugzilla open about the FPs on this rule: https://issues.apache.org/SpamAssassin/show_bug.cgi?id=5736
Re: Spamassassin+amavis
At 05:51 30-10-2008, Luis Hernán Otegui wrote: Just to check, you know you should run a RBL check in Postfix BEFORE it accepts te message, do you? This reduces dramatically the number of messages your server has to scan. And improves the performance a lot. You should not run RBL checks on outbound mail where the customer is relaying through your mail server. Regards, -sm
Re: Problems with the email adress of our company
Greg Troxel [EMAIL PROTECTED] wrote: But even with gmx addressed separately, 4.2 points is a very high score, and there is a large installed base. So I would advise considering registering rss-gmbh.de and using that instead, but doing your own testing first. Asking someone to change their domain name to match an SA rule seems a bit extreme to me! Why not propose that de establish a gmbh 2nd level for companies, and make him rss.gmbh.de? FROM_DOMAIN_NOVOWEL was logged for only 3 messages here yesterday, of 1.3 million logged as scoring 7.0 and higher. All 3 were fps: privatehealthmgmt.com umdnj-secure.com (twice) (That second one had a long consonant string to the left of the @ sign.) Joseph Brennan Lead Email Systems Engineer Columbia University Information Technology
Re: Problems with the email adress of our company
Asking someone to change their domain name to match an SA rule seems a bit extreme to me! Why not propose that de establish a gmbh 2nd level for companies, and make him rss.gmbh.de? FROM_DOMAIN_NOVOWEL was logged for only 3 messages here yesterday, of 1.3 million logged as scoring 7.0 and higher. All 3 were fps: privatehealthmgmt.com umdnj-secure.com (twice) (That second one had a long consonant string to the left of the @ sign.) It is perhaps extreme, but even if the rule is fixed not to FP, I suspect (but have no data) there will be lingering trouble from older installations. From the business point of view one has to weigh the cost of FPs and the cost of changing the name. I would probably change names, since it really isn't that hard. pgpzf4OSsHqtn.pgp Description: PGP signature
Re: Getting hammered by backscatter
On Wed, 29 Oct 2008, Chris Arnold wrote: We use zimbra OSS on SLES10 SP1. Zimbra has spamassassin built-in. At the present time, my mailbox is filled with backscatter; getting around 10 a minute since 4:30 today. I have postfix backscatter rules in postfix of zimbra, http://www.postfix.org/BACKSCATTER_README.html#real but still getting pounded. Here is the header from on such mail: This message was created automatically by mail delivery software. A message that you sent could not be delivered to one or more of its recipients. This is a permanent error. The following address(es) failed: [EMAIL PROTECTED] SMTP error from remote mail server after RCPT TO:[EMAIL PROTECTED]: host relay1.tm.odessa.ua [195.66.204.50]: 511 sorry, no mailbox here by that name (#5.1.1 - chkuser) Your domain was used as the spoofed 'from' address, so it's technically not backscatter, but rather bounced email sent to an invalid address. Since you are the spoofed 'from' address, you are the lucky recipient of all their bad email addresses. In other words, the spammer got sold a bad list of email addresses. Too bad for them, worse for you. You could use an iptables rule (if you are *nix) that would block that domain for a time: iptables -I INPUT -s 89.74.205.165 -j DROP but with all the different domains the bounces are probably coming from, that might be much too tedious to get all of them, unless they targeted just chello.pl accounts... -- This is a copy of the message, including all the headers. -- Return-path: [EMAIL PROTECTED] Received: from chello089074205165.chello.pl ([89.74.205.165]) by wifi-router.tm.odessa.ua with esmtp (Exim 4.69 (FreeBSD)) (envelope-from [EMAIL PROTECTED]) id 1KvJP6-000Eho-L0 for [EMAIL PROTECTED]; Thu, 30 Oct 2008 00:20:42 +0200 Message-ID: [EMAIL PROTECTED] From: =?koi8-r?B?4c3X0s/Tycog4czT2c7Cwco=?= [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: =?koi8-r?B?5dfSz9DFytPLwdEgzsXExczRIMvB3sXT1NfB?= Date: Wed, 29 Oct 2008 20:30:54 + MIME-Version: 1.0 Content-Type: multipart/alternative; boundary==_NextPart_000_0004_01C93A14.03BA381D X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2720.3000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2727.1300 This is a multi-part message in MIME format. --=_NextPart_000_0004_01C93A14.03BA381D Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: quoted-printable Can someone please help me stop this? A while back, there was a thread that pointed to a website, backscatter.org or something like that, that we used that since the upgrade did a wonderful job. Anyone remember that web site? --- _/ _/ _/ _/_/_/ __o _/ _/ _/ _/_/ _-\\._ _/_/_/ _/_/_/ (_)/ (_) _/ _/ _/ _/ .. _/ _/ arl _/_/_/ _/ earson[EMAIL PROTECTED] --- http://consulting.ourldsfamily.com --- Our Constitution was made only for a moral and religious people. It is wholly inadequate to the government of any other. --John Quincy Adams --- To mess up your Linux PC, you have to really work at it; to mess up a microsoft PC you just have to work on it. ---
Re: Getting hammered by backscatter
On Thu, 2008-10-30 at 10:28 -0600, Karl Pearson wrote: On Wed, 29 Oct 2008, Chris Arnold wrote: We use zimbra OSS on SLES10 SP1. Zimbra has spamassassin built-in. At the present time, my mailbox is filled with backscatter; getting around 10 a minute since 4:30 today. I have postfix backscatter rules in postfix of zimbra, http://www.postfix.org/BACKSCATTER_README.html#real but still getting pounded. Here is the header from on such mail: Have you set up SPF records for your domain? SPF records let the sites bouncing the spam discover that the sender has been forged by the spammer. SPF can't eliminate all backscatter, but should at least reduce the size of the barrage. http://www.openspf.org/ describes SPF and has a tool for creating an SPF record. http://www.kitterman.com/spf/validate.html provides additional tools for testing SPF records. Martin
Phishing rules?
I keep getting hit by phishing attacks, and they aren't being stopped by anything I've thrown up in front of them: postfix is doing: reject_rbl_client b.barracudacentral.org, reject_rbl_client zen.spamhaus.org, reject_rbl_client list.dsbl.org, I've got clamav pulling signatures updated once a day from sanesecurity (phishing, spam, junk, rogue), SecuriteInfo (honeynet, vx, securesiteinfo) and Malware Black List, MSRBL (images, spam). I've got spamassassin 3.2.5 with URIBL plugin loaded (which I understand pulls in the 25_uribl.cf automatically, right? Or do I need to configure that? if its automatic, that pulls in SURBL phishing). I've got Botnet setup, PDFinfo and postcards, i'm using DCC and a bayesdb, i've got the hashcash, and SPF plugins loaded, imageinfo, pretty much everything I can think ofbut for some reason phishing attempts keep getting through. Sadly, I do not have an example I can share at the moment, as I typically delete them in a rage after training my bayes filter on them. However, I am looking for any suggestions of other things I can turn on... in particular, are there rules that people have created that look for certain keywords where the body is asking for your account/password information? Thanks for any ideas, micah
Re: Phishing rules?
Micah Anderson wrote: I keep getting hit by phishing attacks, and they aren't being stopped by anything I've thrown up in front of them: postfix is doing: reject_rbl_client b.barracudacentral.org, reject_rbl_client zen.spamhaus.org, reject_rbl_client list.dsbl.org, I've got clamav pulling signatures updated once a day from sanesecurity (phishing, spam, junk, rogue), SecuriteInfo (honeynet, vx, securesiteinfo) and Malware Black List, MSRBL (images, spam). I've got spamassassin 3.2.5 with URIBL plugin loaded (which I understand pulls in the 25_uribl.cf automatically, right? Or do I need to configure that? if its automatic, that pulls in SURBL phishing). I've got Botnet setup, PDFinfo and postcards, i'm using DCC and a bayesdb, i've got the hashcash, and SPF plugins loaded, imageinfo, pretty much everything I can think ofbut for some reason phishing attempts keep getting through. Sadly, I do not have an example I can share at the moment, as I typically delete them in a rage after training my bayes filter on them. However, I am looking for any suggestions of other things I can turn on... in particular, are there rules that people have created that look for certain keywords where the body is asking for your account/password information? Thanks for any ideas, micah Report these and maybe they will add something that catches them. If one wanted to, they can get any mail the want through your filters if they are good and don't use things that trigger the rules.
Re: Phishing rules?
Micah Anderson wrote: I keep getting hit by phishing attacks, and they aren't being stopped by anything I've thrown up in front of them: postfix is doing: reject_rbl_client b.barracudacentral.org, reject_rbl_client zen.spamhaus.org, reject_rbl_client list.dsbl.org, I've got clamav pulling signatures updated once a day from sanesecurity (phishing, spam, junk, rogue), SecuriteInfo (honeynet, vx, securesiteinfo) and Malware Black List, MSRBL (images, spam). I've got spamassassin 3.2.5 with URIBL plugin loaded (which I understand pulls in the 25_uribl.cf automatically, right? Or do I need to configure that? if its automatic, that pulls in SURBL phishing). I've got Botnet setup, PDFinfo and postcards, i'm using DCC and a bayesdb, i've got the hashcash, and SPF plugins loaded, imageinfo, pretty much everything I can think ofbut for some reason phishing attempts keep getting through. Sadly, I do not have an example I can share at the moment, as I typically delete them in a rage after training my bayes filter on them. However, I am looking for any suggestions of other things I can turn on... in particular, are there rules that people have created that look for certain keywords where the body is asking for your account/password information? Thanks for any ideas, micah Consider submitting them to SaneSecurity (www.sanesecurity.com) so that the signatures can be added to their phishing signature database. Bill
Re: Phishing rules?
On Thu, 2008-10-30 at 15:56 -0400, Micah Anderson wrote: I keep getting hit by phishing attacks, and they aren't being stopped by anything I've thrown up in front of them: postfix is doing: reject_rbl_client b.barracudacentral.org, reject_rbl_client zen.spamhaus.org, reject_rbl_client list.dsbl.org, I've got clamav pulling signatures updated once a day from sanesecurity (phishing, spam, junk, rogue), SecuriteInfo (honeynet, vx, securesiteinfo) and Malware Black List, MSRBL (images, spam). I'd increase this, at least for the SaneSecurity phish sigs. They are being updated much more frequently. I've got spamassassin 3.2.5 with URIBL plugin loaded (which I understand pulls in the 25_uribl.cf automatically, right? Or do I need to configure Yes, unless you disable network tests in general. Should be easy to answer yourself if they are working, just by grepping for the rule names defined in 25_uribl.cf. that? if its automatic, that pulls in SURBL phishing). I've got Botnet setup, PDFinfo and postcards, i'm using DCC and a bayesdb, i've got the hashcash, and SPF plugins loaded, imageinfo, pretty much everything I can think ofbut for some reason phishing attempts keep getting through. Sadly, I do not have an example I can share at the moment, as I typically delete them in a rage after training my bayes filter on them. However, I am looking for any suggestions of other things I can turn on... in particular, are there rules that people have created that look for certain keywords where the body is asking for your account/password information? So you've pretty much thrown everything at it you could find... ;) And they are still slipping through? How many are we talking here? Compared to the total number of spam / phish? Also, how many are being caught? Strikes me as odd that you don't have a sample but yet sound like every single one is slipping by. I guess, I would start verifying that all the above actually is working. Most notably the SaneSecurity phish sigs. ClamAV should catch the lions share, by far, assuming it comes before SA in your chain. guenther -- char *t=[EMAIL PROTECTED]; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Phishing rules?
Micah Anderson wrote: reject_rbl_client list.dsbl.org, DSBL has shut down, and you should remove the query from your list. It won't help with the phishing, but it'll free up some network resources. Info: http://dsbl.org/node/3 I've got clamav pulling signatures updated once a day from sanesecurity (phishing, spam, junk, rogue), SecuriteInfo (honeynet, vx, securesiteinfo) and Malware Black List, MSRBL (images, spam). Odd, ClamAV + SaneSecurty does a really good job here at blocking phish before they even get to SpamAssassin. We call clamd through MIMEDefang, then call SpamAssassin (also through MimeDefang) if a message passes. Have you verified that Clam is using the SaneSecurity signatures? How are you calling ClamAV? -- Kelson Vibber SpeedGate Communications www.speed.net
Re: Phishing rules?
Micah Anderson [EMAIL PROTECTED] wrote: I keep getting hit by phishing attacks, and they aren't being stopped by anything I've thrown up in front of them: Do you mean attempts to get your users to send their passwords, or fake mail pretending to be from banks? Joseph Brennan Lead Email Systems Engineer Columbia University Information Technology