Re: Earthlink emails
On Fri, 2006-09-29 at 11:20 -0400, Michel Vaillancourt wrote: Ramprasad wrote: On Fri, 2006-09-29 at 08:12 -0400, Michel Vaillancourt wrote: Ramprasad wrote: Why not SPF ?? Over two thirds of the email I receive that is UCE/Spam has an SPF_PASS associated with it from SA. All SPF seems to do is make the stupid spammers look more stupid. The clever ones aren't affected. I have a script that automatically blocks SPF-pass domains sending spam consistently. you could make good use of the SPF_PASS too. Care to share? This would be very handy. This is a perl script a part of larger module. And not exactly worth sharing. But the idea is very simple * cronscript on each machine parses the logs for SPF_PASS mails with SA score above 15 and puts the messages log lines in a file in http area * The rbldns server wgets all files from different servers and finds the top sender domains who send spam * Delete all whitelisted domains from the list and those domains who are also sending a lot of ham to correct ids ( I get this from a mysql db query to my reports db ) * Put the remaining into the rbldns blacklist and restart the rbldns server for postfix to use these What is the point accepting the mail and the entire data and then scanning for DK when It should have ideally been rejected after mail from: That would be the exact point of DK at the Postfix/ MTA level. How. All the while I thought dkfilter helps me block after dataend ? Do I have to RTFM again ? My mistake.. this one runs as a content filter. The same author is working on a DKIM Proxy that would be your first point-of-contact and handle the mail from intercept. I got confused. So I let SA do the testing .. which catches the spams but eats resources of my servers. When you receive 3-5 million mails a day you tend to bother more about resources I would humbly submit to you that if you move that much traffic, you should be able to justify one more MX machine in the pool and implementing DK. We have 8 dual xeons already. for this much traffic. And servers are always loaded with all kinds tests enabled in SA I'm curious... what is the RAM/ MHz spec of your machines? 5M mail/day is 7 mail per second per machine... at a median 8 seconds mail handle time, that is 57 mail in the pipes at any one time... 50Mb for SA or anti-virus per message works to about 3Gb of RAM in use. I can see your concern. However, again, I'd say that even two more machines in the pool would bring that down to ~2GB of RAM in use per machine, and that should give you the cycles and memory to run SPF queries as well as DK filters. 4GB Ram , 3GHz x 2 xeon with HT But I think you too would know mail never comes uniformly at 7/s. There are peak times when my mailservers touch 43k/hour while in the nights they may be sleeping with the rest of us. And at peak times the mail delay starts killing us. ( Thats exactly when I start sending 450 to bad domains ) I do understand the notion your boss might not be willing to put another $5K down to deal with the problem. However, as anyone can attest to, good customer service costs money to provide.
Re: Earthlink emails
On Thu, 2006-09-28 at 19:11 -0700, jdow wrote: From: Ramprasad [EMAIL PROTECTED] On Tue, 2006-09-26 at 21:28 -0700, jdow wrote: Before you blame Earthlink note that it has NOT gone through Earthlink servers. relay2.corp.good-sam.com is the receiving email server. It's a forged email, at a guess. (It also has mangled headers. Newlines are missing. MAYBE it would do better if you sent it plain text. HTML tends to mangle things. {^_^} Nobody would blame earthlink for the mail , But Most of the spams to my clients come from earthlink.net.( sometimes as high as 20% of spams Yahoo comes in next with ~10% ) How do you determine this? Is it by a legitimate domain keys tested Earthlink SMTP or does it simply say it came from Earthlink? I see a lot of mail that SAYS it came from Earthlink. But there is not a single Earthlink name in any of the Received headers. It's forged. I am going by envelope from only. Obviously can be forged I have written to them several times that their domain is being forged heavily by spammers but they refuse to take any action Explain how they can take any action? How can Earthlink stop it? They do sue in particularly blatent cases. But if it's some other ISP with a user forging Earthlink names what on Earth do you expect Earthlink to do? Apparently they have removed SPF records after publishing them once. Thats a stupid idea IMHO. Today I am forced to TEMP FAIL earthlink ids whenever there is a spam attack on my servers They went to domain keys. It seems to be better for the Earthlink situation. {^_^} Why not SPF ?? DK is a resource HOG. And I cant do that easily in postfix ,( I know you will point to dk-milter ) What is the point accepting the mail and the entire data and then scanning for DK when It should have ideally been rejected after mail from: So I let SA do the testing .. which catches the spams but eats resources of my servers. When you receive 3-5 million mails a day you tend to bother more about resources Thanks Ram
Re: Earthlink emails
On Thu, 2006-09-28 at 11:05 -0700, Loren Wilton wrote: Apparently they have removed SPF records after publishing them once. Thats a stupid idea IMHO. Today I am forced to TEMP FAIL earthlink ids whenever there is a spam attack on my servers SPF can be a pain for a number of reasons that have been discussed endlessly. I suspect Dirtlink found them to be effectively useless. Why not try using domainkeys instead? DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=dk20050327; d=earthlink.net; b=FB4IOaniCvpDwkx5cYm2jFWe8LB9zRfxL9FHzbhv1JHyGSVrA0o4mttb3jjbU4C3; h=Message-ID:Date:From:Reply-To:To:Subject:Cc:Mime-Version:Content-Type:Content-Transfer-Encoding:X-Mailer:X-ELNK-Trace:X-Originating-IP; Loren Darn, I dont want to again get into SPF debates. Assume I am using domain keys and catching all spams forged from earthlink , still I am scanning the mails. Anyway that is already happening today. SA is catching spams from earthlink( forged ?) but when you scan a huge number of mails you would like to be able to reject forged mails straight after mail from:. That is what SPF lets you do and that works. No wonder a lot of spammers have stopped forging hotmail or msn because most of those mails dont even get thru the MTA. And a majority of the forged spams I still get is from earthlink or yahoo. Thanks Ram
Re: Earthlink emails
Ramprasad wrote: Why not SPF ?? Over two thirds of the email I receive that is UCE/Spam has an SPF_PASS associated with it from SA. All SPF seems to do is make the stupid spammers look more stupid. The clever ones aren't affected. DK is a resource HOG. And I cant do that easily in postfix ,( I know you will point to dk-milter ) http://jason.long.name/dkfilter/ ... Postfix specific implementation using the Sourceforge/ OpenSource adoptation of the DK standards. What is the point accepting the mail and the entire data and then scanning for DK when It should have ideally been rejected after mail from: That would be the exact point of DK at the Postfix/ MTA level. So I let SA do the testing .. which catches the spams but eats resources of my servers. When you receive 3-5 million mails a day you tend to bother more about resources I would humbly submit to you that if you move that much traffic, you should be able to justify one more MX machine in the pool and implementing DK. Thanks Ram Another point here is that SPF and DK are NOT mutually exclusive technologies. If a thirty-customer/ 10k message-a-day shop like me can implement both, I am sure that a Big Shop like yours can. -- --Michel Vaillancourt Wolfstar Systems www.wolfstar.ca
Re: Earthlink emails
On Fri, 2006-09-29 at 08:12 -0400, Michel Vaillancourt wrote: Ramprasad wrote: Why not SPF ?? Over two thirds of the email I receive that is UCE/Spam has an SPF_PASS associated with it from SA. All SPF seems to do is make the stupid spammers look more stupid. The clever ones aren't affected. I have a script that automatically blocks SPF-pass domains sending spam consistently. you could make good use of the SPF_PASS too. DK is a resource HOG. And I cant do that easily in postfix ,( I know you will point to dk-milter ) http://jason.long.name/dkfilter/ ... Postfix specific implementation using the Sourceforge/ OpenSource adoptation of the DK standards. What is the point accepting the mail and the entire data and then scanning for DK when It should have ideally been rejected after mail from: That would be the exact point of DK at the Postfix/ MTA level. How. All the while I thought dkfilter helps me block after dataend ? Do I have to RTFM again ? So I let SA do the testing .. which catches the spams but eats resources of my servers. When you receive 3-5 million mails a day you tend to bother more about resources I would humbly submit to you that if you move that much traffic, you should be able to justify one more MX machine in the pool and implementing DK. We have 8 dual xeons already. for this much traffic. And servers are always loaded with all kinds tests enabled in SA Thanks Ram Another point here is that SPF and DK are NOT mutually exclusive technologies. If a thirty-customer/ 10k message-a-day shop like me can implement both, I am sure that a Big Shop like yours can.
Re: Earthlink emails
Ramprasad wrote: On Fri, 2006-09-29 at 08:12 -0400, Michel Vaillancourt wrote: Ramprasad wrote: Why not SPF ?? Over two thirds of the email I receive that is UCE/Spam has an SPF_PASS associated with it from SA. All SPF seems to do is make the stupid spammers look more stupid. The clever ones aren't affected. I have a script that automatically blocks SPF-pass domains sending spam consistently. you could make good use of the SPF_PASS too. Care to share? This would be very handy. What is the point accepting the mail and the entire data and then scanning for DK when It should have ideally been rejected after mail from: That would be the exact point of DK at the Postfix/ MTA level. How. All the while I thought dkfilter helps me block after dataend ? Do I have to RTFM again ? My mistake.. this one runs as a content filter. The same author is working on a DKIM Proxy that would be your first point-of-contact and handle the mail from intercept. I got confused. So I let SA do the testing .. which catches the spams but eats resources of my servers. When you receive 3-5 million mails a day you tend to bother more about resources I would humbly submit to you that if you move that much traffic, you should be able to justify one more MX machine in the pool and implementing DK. We have 8 dual xeons already. for this much traffic. And servers are always loaded with all kinds tests enabled in SA I'm curious... what is the RAM/ MHz spec of your machines? 5M mail/day is 7 mail per second per machine... at a median 8 seconds mail handle time, that is 57 mail in the pipes at any one time... 50Mb for SA or anti-virus per message works to about 3Gb of RAM in use. I can see your concern. However, again, I'd say that even two more machines in the pool would bring that down to ~2GB of RAM in use per machine, and that should give you the cycles and memory to run SPF queries as well as DK filters. I do understand the notion your boss might not be willing to put another $5K down to deal with the problem. However, as anyone can attest to, good customer service costs money to provide. -- --Michel Vaillancourt Wolfstar Systems www.wolfstar.ca
Re: Earthlink emails
Return-Path: [EMAIL PROTECTED] X-Sieve: CMU Sieve 2.2 X-Spam-Status: No, score=-2.3 required=5.0 tests=AWL,BAYES_00, FORGED_RCVD_HELO autolearn=ham version=3.1.4 X-Spam-Checker-Version: SpamAssassin 3.1.4 (2006-07-25) on amadeus3.local X-Spam-Level: DomainKey-Status: no signature X-Sieve: CMU Sieve 2.2 Mailing-List: contact [EMAIL PROTECTED]; run by ezmlm Precedence: bulk list-help: mailto:[EMAIL PROTECTED] list-unsubscribe: mailto:[EMAIL PROTECTED] List-Post: mailto:users@spamassassin.apache.org List-Id: users.spamassassin.apache.org Delivered-To: mailing list users@spamassassin.apache.org X-ASF-Spam-Status: No, hits=0.0 required=10.0 tests= Subject: Re: Earthlink emails From: Ramprasad [EMAIL PROTECTED] To: Loren Wilton [EMAIL PROTECTED] Cc: spamassassin-users users@spamassassin.apache.org In-Reply-To: [EMAIL PROTECTED] References: [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Content-Type: text/plain Date: Fri, 29 Sep 2006 11:43:48 +0530 Mime-Version: 1.0 X-Mailer: Evolution 2.0.4 (2.0.4-7) Content-Transfer-Encoding: 7bit X-SMTP3-MailScanner-Information: Please contact the ISP for more information X-MailScanner-From: [EMAIL PROTECTED] X-TOI-SPAM: u;0;2006-09-29T06:14:29Z X-TOI-VIRUSSCAN: unchecked X-TOI-MSGID: eaf52ea5-4598-4c0e-bbec-9b2da8e90a41 X-Seen: false X-ENVELOPE-TO: [EMAIL PROTECTED] On Thu, 2006-09-28 at 11:05 -0700, Loren Wilton wrote: Apparently they have removed SPF records after publishing them once. Thats a stupid idea IMHO. Today I am forced to TEMP FAIL earthlink ids whenever there is a spam attack on my servers SPF can be a pain for a number of reasons that have been discussed endlessly. I suspect Dirtlink found them to be effectively useless. Why not try using domainkeys instead? DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=dk20050327; d=earthlink.net; b=FB4IOaniCvpDwkx5cYm2jFWe8LB9zRfxL9FHzbhv1JHyGSVrA0o4mttb3jjbU4C3; h=Message-ID:Date:From:Reply-To:To:Subject:Cc:Mime-Version:Content-Type:Content-Transfer-Encoding:X-Mailer:X-ELNK-Trace:X-Originating-IP; Loren Darn, I dont want to again get into SPF debates. Assume I am using domain keys and catching all spams forged from earthlink , still I am scanning the mails. Anyway that is already happening today. SA is catching spams from earthlink( forged ?) but when you scan a huge number of mails you would like to be able to reject forged mails straight after mail from:. That is what SPF lets you do and that works. No wonder a lot of spammers have stopped forging hotmail or msn because most of those mails dont even get thru the MTA. And a majority of the forged spams I still get is from earthlink or yahoo. Thanks Ram Hi, well - you could set up your MTA to verify domainkeys and reject. However, there are a lot of mails around that could cause rejection altnhough they are valid mail resent by something (e.g. a mailing list) but keeping the domain keys / not adding a sender header Wolfgang Hamann
Re: Earthlink emails
On Tue, 2006-09-26 at 21:28 -0700, jdow wrote: Before you blame Earthlink note that it has NOT gone through Earthlink servers. relay2.corp.good-sam.com is the receiving email server. It's a forged email, at a guess. (It also has mangled headers. Newlines are missing. MAYBE it would do better if you sent it plain text. HTML tends to mangle things. {^_^} Nobody would blame earthlink for the mail , But Most of the spams to my clients come from earthlink.net.( sometimes as high as 20% of spams Yahoo comes in next with ~10% ) I have written to them several times that their domain is being forged heavily by spammers but they refuse to take any action Apparently they have removed SPF records after publishing them once. Thats a stupid idea IMHO. Today I am forced to TEMP FAIL earthlink ids whenever there is a spam attack on my servers Thanks Ram
Re: Earthlink emails
Apparently they have removed SPF records after publishing them once. Thats a stupid idea IMHO. Today I am forced to TEMP FAIL earthlink ids whenever there is a spam attack on my servers SPF can be a pain for a number of reasons that have been discussed endlessly. I suspect Dirtlink found them to be effectively useless. Why not try using domainkeys instead? DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=dk20050327; d=earthlink.net; b=FB4IOaniCvpDwkx5cYm2jFWe8LB9zRfxL9FHzbhv1JHyGSVrA0o4mttb3jjbU4C3; h=Message-ID:Date:From:Reply-To:To:Subject:Cc:Mime-Version:Content-Type:Content-Transfer-Encoding:X-Mailer:X-ELNK-Trace:X-Originating-IP; Loren
Re: Earthlink emails
From: Ramprasad [EMAIL PROTECTED] On Tue, 2006-09-26 at 21:28 -0700, jdow wrote: Before you blame Earthlink note that it has NOT gone through Earthlink servers. relay2.corp.good-sam.com is the receiving email server. It's a forged email, at a guess. (It also has mangled headers. Newlines are missing. MAYBE it would do better if you sent it plain text. HTML tends to mangle things. {^_^} Nobody would blame earthlink for the mail , But Most of the spams to my clients come from earthlink.net.( sometimes as high as 20% of spams Yahoo comes in next with ~10% ) How do you determine this? Is it by a legitimate domain keys tested Earthlink SMTP or does it simply say it came from Earthlink? I see a lot of mail that SAYS it came from Earthlink. But there is not a single Earthlink name in any of the Received headers. It's forged. I have written to them several times that their domain is being forged heavily by spammers but they refuse to take any action Explain how they can take any action? How can Earthlink stop it? They do sue in particularly blatent cases. But if it's some other ISP with a user forging Earthlink names what on Earth do you expect Earthlink to do? Apparently they have removed SPF records after publishing them once. Thats a stupid idea IMHO. Today I am forced to TEMP FAIL earthlink ids whenever there is a spam attack on my servers They went to domain keys. It seems to be better for the Earthlink situation. {^_^}
Earthlink emails
Iam getting a lot of earthlink.net emails with 4-5 random words in the body. I am at a lost how to prevent these. Anysuggestions?? Thanks Bryan Subject: axiom closure advocacy From: Blair [EMAIL PROTECTED] Date: Mon, 25 Sep 2006 22:17:02 -0500 To: "[EMAIL PROTECTED]" [EMAIL PROTECTED] Return-Path: [EMAIL PROTECTED] Received: from jonas.corp.good-sam.com by oraclemail.corp.good-sam.com with ESMTP id 78034461159241089; Mon, 25 Sep 2006 22:24:49 -0500 Received: from relay2.corp.good-sam.com ([127.0.0.1]) by jonas.corp.good-sam.com (Netscape Messaging Server 4.15) with ESMTP id J66K5D00.QEM; Mon, 25 Sep 2006 22:24:49 -0500 Received: from localhost (unknown [127.0.0.1]) by relay2.corp.good-sam.com (Postfix) with ESMTP id ED14919734E; Mon, 25 Sep 2006 22:19:52 -0500 (CDT) Received: from relay2.corp.good-sam.com (localhost.localdomain [127.0.0.1]) by localhost.good-sam.com (Postfix) with ESMTP id AF23B197561; Mon, 25 Sep 2006 22:15:30 -0500 (CDT) Received: from SHERI-PTIN5DJM8 (cpe-74-71-30-143.twcny.res.rr.com [74.71.30.143]) by relay2.corp.good-sam.com (Postfix) with SMTP id 36BF4197613; Mon, 25 Sep 2006 22:15:30 -0500 (CDT) Message-ID: [EMAIL PROTECTED] MIME-Version: 1.0 X-Mailer: Microsoft Office Outlook, Build 11.0.5510 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Thread-Index: cjP2e3ogNnRAWCd1RrPAz5dlnZTe3DJGeSOW X-Spam-Checker-Version: SpamAssassin 3.0.1 (2004-10-22) on relay2.corp.good-sam.com X-Spam-Status: No, score=0.0 required=6.0 tests=none autolearn=disabled version=3.0.1 Content-Type: text/plain; charset=Windows-1252 Content-Transfer-Encoding: base64 attenuatebackwood altitude airline cheeky chinesedanube - This email transmission and any documents, files or previous email messages attached to it may contain information that is confidential or legally privileged. If you are not the intended recipient, you are hereby notified that any disclosure, copying, printing, distributing or use of this transmission is strictly prohibited. If you have received this transmission in error, please immediately notify the sender by telephone or return email and delete the original transmission and its attachments without reading or saving in any manner. The Evangelical Lutheran Good Samaritan Society. -
Re: Earthlink emails
bryan haase wrote: I am getting a lot of earthlink.net emails with 4-5 random words in the body. I am at a lost how to prevent these. Any suggestions?? Thanks Bryan Subject: axiom closure advocacy may I suggest you start with upgrading your SA to 3.1.5 which will solve security issues and may well help with delection. -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. **
Re: Earthlink emails
On Tue, September 26, 2006 18:24, bryan haase wrote: I am getting a lot of earthlink.net emails with 4-5 random words in the body. I am at a lost how to prevent these. Any suggestions?? http://openspf.org/wizard.html?mydomain=earthlink.net SpamAssassin 3.0.1 (2004-10-22) on relay2.corp.good-sam.com update to 3.1.5 if posible and enable spf check -- This message was sent using 100% recycled spam mails.
Re: Earthlink emails
On 26-Sep-06, at 12:43 PM, Benny Pedersen wrote: On Tue, September 26, 2006 18:24, bryan haase wrote: I am getting a lot of earthlink.net emails with 4-5 random words in the body. I am at a lost how to prevent these. Any suggestions?? http://openspf.org/wizard.html?mydomain=earthlink.net SpamAssassin 3.0.1 (2004-10-22) on relay2.corp.good-sam.com update to 3.1.5 if posible and enable spf check How does this help? Earthlink does not publish SPF records. -- Gino Cerullo Pixel Point Studios 21 Chesham Drive Toronto, ON M3M 1W6 416-247-7740 smime.p7s Description: S/MIME cryptographic signature
Re: Earthlink emails
On Tue, September 26, 2006 18:44, Gino Cerullo wrote: update to 3.1.5 if posible and enable spf check How does this help? Earthlink does not publish SPF records. sorry i was to fast here :/ -- This message was sent using 100% recycled spam mails.
Re: Earthlink emails
Received: from SHERI-PTIN5DJM8 (cpe-74-71-30-143.twcny.res.rr.com [74.71.30.143]) That mail came from a RoadRunner zombie account in Minnesota, has nothing to do with Earthlink other than the forged headers. If that is the entire message, and there isn't an image attached, they might be a bit hard to detect and stop. I'd check if maybe they are all coming from the same broken zombie system, and if so, block it specifically. Of course, if you had net tests running you would at least get a DUL hit on this, and possibly some others. Loren - Original Message - From: bryan haase To: users@spamassassin.apache.org Sent: Tuesday, September 26, 2006 9:24 AM Subject: Earthlink emails Iam getting a lot of earthlink.net emails with 4-5 random words in the body. I am at a lost how to prevent these. Anysuggestions?? Thanks Bryan Subject: axiom closure advocacy From: Blair [EMAIL PROTECTED] Date: Mon, 25 Sep 2006 22:17:02 -0500 To: "[EMAIL PROTECTED]" [EMAIL PROTECTED] Return-Path: [EMAIL PROTECTED] Received: from jonas.corp.good-sam.com by oraclemail.corp.good-sam.com with ESMTP id 78034461159241089; Mon, 25 Sep 2006 22:24:49 -0500 Received: from relay2.corp.good-sam.com ([127.0.0.1]) by jonas.corp.good-sam.com (Netscape Messaging Server 4.15) with ESMTP id J66K5D00.QEM; Mon, 25 Sep 2006 22:24:49 -0500 Received: from localhost (unknown [127.0.0.1]) by relay2.corp.good-sam.com (Postfix) with ESMTP id ED14919734E; Mon, 25 Sep 2006 22:19:52 -0500 (CDT) Received: from relay2.corp.good-sam.com (localhost.localdomain [127.0.0.1]) by localhost.good-sam.com (Postfix) with ESMTP id AF23B197561; Mon, 25 Sep 2006 22:15:30 -0500 (CDT) Received: from SHERI-PTIN5DJM8 (cpe-74-71-30-143.twcny.res.rr.com [74.71.30.143]) by relay2.corp.good-sam.com (Postfix) with SMTP id 36BF4197613; Mon, 25 Sep 2006 22:15:30 -0500 (CDT) Message-ID: [EMAIL PROTECTED] MIME-Version: 1.0 X-Mailer: Microsoft Office Outlook, Build 11.0.5510 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Thread-Index: cjP2e3ogNnRAWCd1RrPAz5dlnZTe3DJGeSOW X-Spam-Checker-Version: SpamAssassin 3.0.1 (2004-10-22) on relay2.corp.good-sam.com X-Spam-Status:No, score=0.0 required=6.0 tests=none autolearn=disabled version=3.0.1 Content-Type: text/plain; charset=Windows-1252 Content-Transfer-Encoding: base64 attenuatebackwood altitude airline cheeky chinesedanube -This email transmission and any documents, files or previousemail messages attached to it may contain information that isconfidential or legally privileged. If you are not the intendedrecipient, you are hereby notified that any disclosure, copying,printing, distributing or use of this transmission is strictlyprohibited. If you have received this transmission in error,please immediately notify the sender by telephone or returnemail and delete the original transmission and its attachmentswithout reading or saving in any manner.The Evangelical Lutheran Good Samaritan Society.-
Re: Earthlink emails
Easy to detect. If these lines are missing it isn't from Earthlink: X-ELNK-Trace: 969e0f2de935a8bcd780f4a490ca69563f9fea00a6dd62bcb02f9df018f210f4f21462a4fe5b44a8350badd9bab72f9c350badd9bab72f9c350badd9bab72f9c X-Originating-IP: 71.116.187.9 X-ELNK-AV: 0 X-ELNK-Info: sbv=0; sbrc=.0; sbf=00; sbw=000; Originating IP should check out. And if it did not start out through: Received: from [71.116.187.9] (helo=watson1) by elasmtp-banded.atl.sa.earthlink.net with asmtp (Exim 4.34) id 1GSPvP-0005k3-7d for users@spamassassin.apache.org; Tue, 26 Sep 2006 23:17:32 -0400 Perhaps simplest look for a working Domain Key signature: DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=dk20050327; d=earthlink.net; b=sHsrs3wmDYe/alXMm+V8Q+rD7M47bShf6PGpqVmFXtf+UoPnp57oCrGEcBcbmcmq; h=Received:Message-ID:From:To:References:Subject:Date:MIME-Version:Content-Type:X-Priority:X-MSMail-Priority:X-Mailer:X-MimeOLE:X-ELNK-Trace:X-Originating-IP; {^_^} - Original Message - From: Loren Wilton [EMAIL PROTECTED] To: users@spamassassin.apache.org Sent: Tuesday, September 26, 2006 20:17 Subject: Re: Earthlink emails Received: from SHERI-PTIN5DJM8 (cpe-74-71-30-143.twcny.res.rr.com [74.71.30.143]) That mail came from a RoadRunner zombie account in Minnesota, has nothing to do with Earthlink other than the forged headers. If that is the entire message, and there isn't an image attached, they might be a bit hard to detect and stop. I'd check if maybe they are all coming from the same broken zombie system, and if so, block it specifically. Of course, if you had net tests running you would at least get a DUL hit on this, and possibly some others. Loren - Original Message - From: bryan haase To: users@spamassassin.apache.org Sent: Tuesday, September 26, 2006 9:24 AM Subject: Earthlink emails I am getting a lot of earthlink.net emails with 4-5 random words in the body. I am at a lost how to prevent these. Any suggestions?? Thanks Bryan Subject: axiom closure advocacy From: Blair [EMAIL PROTECTED] Date: Mon, 25 Sep 2006 22:17:02 -0500 To: [EMAIL PROTECTED] [EMAIL PROTECTED] Return-Path: [EMAIL PROTECTED] Received: from jonas.corp.good-sam.com by oraclemail.corp.good-sam.com with ESMTP id 78034461159241089; Mon, 25 Sep 2006 22:24:49 -0500 Received: from relay2.corp.good-sam.com ([127.0.0.1]) by jonas.corp.good-sam.com (Netscape Messaging Server 4.15) with ESMTP id J66K5D00.QEM; Mon, 25 Sep 2006 22:24:49 -0500 Received: from localhost (unknown [127.0.0.1]) by relay2.corp.good-sam.com (Postfix) with ESMTP id ED14919734E; Mon, 25 Sep 2006 22:19:52 -0500 (CDT) Received: from relay2.corp.good-sam.com (localhost.localdomain [127.0.0.1]) by localhost.good-sam.com (Postfix) with ESMTP id AF23B197561; Mon, 25 Sep 2006 22:15:30 -0500 (CDT) Received: from SHERI-PTIN5DJM8 (cpe-74-71-30-143.twcny.res.rr.com [74.71.30.143]) by relay2.corp.good-sam.com (Postfix) with SMTP id 36BF4197613; Mon, 25 Sep 2006 22:15:30 -0500 (CDT) Message-ID: [EMAIL PROTECTED] MIME-Version: 1.0 X-Mailer: Microsoft Office Outlook, Build 11.0.5510 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Thread-Index: cjP2e3ogNnRAWCd1RrPAz5dlnZTe3DJGeSOW X-Spam-Checker-Version: SpamAssassin 3.0.1 (2004-10-22) on relay2.corp.good-sam.com X-Spam-Status: No, score=0.0 required=6.0 tests=none autolearn=disabled version=3.0.1 Content-Type: text/plain; charset=Windows-1252 Content-Transfer-Encoding: base64 attenuatebackwood altitude airline cheeky chinesedanube -- - This email transmission and any documents, files or previous email messages attached to it may contain information that is confidential or legally privileged. If you are not the intended recipient, you are hereby notified that any disclosure, copying, printing, distributing or use of this transmission is strictly prohibited. If you have received this transmission in error, please immediately notify the sender by telephone or return email and delete the original transmission and its attachments without reading or saving in any manner. The Evangelical Lutheran Good Samaritan Society. -