Evan,
The spammer is Taiwan Media (Telecom long ago) Ltd. They're using
the domain swzo.com-MUNG with Whois/registration contacts email account at
[EMAIL PROTECTED] and DNS from ns[12].0l23.com-MUNG. They are listed in
Spamhaus' ROKSO with more data there - friends/associates of Leo (hence the
Geocities redirector abuse - primarily used by Kuvayev/Yambo/Taiwan/Soloway
and related spammers - the reverse Geocities abuse seems to be mostly Yambo).
Almost all of their delivery is via zombie hosts - you got your spam
from 68.168.21.68 (68-168-21-68.chvlva.adelphia.net) a cable modem zombie.
This should have triggered some DUL rules. Also the "Return-Path:" header,
while it references a valid domain, appears to be an abandoned domain with
no valid DNS - i.e. a MTA level check on the sender for valid FCrDNS would
fail; I can see you are using Postfix, so this is quite easy to do - enable
the option "reject_unknown_sender_domain" in one or more of the clauses in
main.cf. If you feel comfortable with it, MTA tests on a .njabl.org list
would also block a lot of these and definitely a block on the XBL (unless
you are so unfortunate as to be at the very start of a run). A final more
controversial suggestion that will kill a lot of these is another option
for your main.cf - use "defer_if_reject reject_rbl_client bl.spamcop.net"
in your smtpd_client_restrictions clause (again, as long as you aren't at
the very start, it will kill most of these). Also, if you feel OK about
missing lots of misconfigured exchange servers, reject_unknown_hostname and
reject_unknown_client under smtpd_client_restrictions *and* also used under
smtpd_helo_restrictions will kill more zombie deliveries.
If you'd like, ask off list and I can give more Postfix suggestions,
but to all Postfix users I would strongly recommend a copy of "The BOOK of
POSTFIX" by Ralf Hildebrandt and Patrick Koetter from "No Starch Press",
ISBN 1-59327-001-1; If you are fortunate enough to be fluent in German, I've
been told that the German edition has even more material (a later revision).
Also, to everyone using BAYES (not everyone does, and some people
even do have good reasons not to), feed *all* your low scoring spam, whether
caught or passed by SA, back into sa-learn - this is the best method to avoid
getting "fooled twice".
Finally, just for reference, even though my servers would have refused
the message to most accounts, locally the rules it hits are (ignoring the zero
point rule SPF_HELO_FAIL):
BAYES_99 BODY: Bayesian spam probability is 99 to 100%
[score: 1.0000]
RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP address
[68.168.21.68 listed in dnsbl.sorbs.net]
RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net
[Blocked - see <http://www.spamcop.net/bl.shtml?68.168.21.68>]
RCVD_IN_NJABL_DUL RBL: NJABL: dialup sender did non-local SMTP
[68.168.21.68 listed in combined.njabl.org]
Which is, given my locally raised threshold, *just* enough to have
stopped delivery (though as you can see, any of the Postfix options above
would have blocked it at the MTA level).
As Matt and other have pointed out, blocking "The Bat" is not a
good method - about the same as blocking Outblaze processed domains, because
they are forged so much.
Paul Shupak
[EMAIL PROTECTED]
