On Sun, 29 Jun 2008 07:07:58 -0700 (PDT), thadcoco <[EMAIL PROTECTED]> wrote:
> >Hi All, > >My server CentOS 4, Sendmail, MailScanner (SA & ClamAV) is being buried by >spoofed emails that are bounced back to my domain by the recipient's >servers. Virtually all these emails are being sent from a zombie at a single >IP. > >i.e.: All the messages contain the following line somewhere within: >Received: from d04m-89-83-98-193.d4.club-internet.fr ([89.83.98.193]) > >I can't figure out how to mark any messages that originally sourced from >that IP so that that can be dropped by Procmail (that approach would appears >to be my only hope, as junk is arriving faster than my mail client can pull >it off the server. > >I have tried to write a rule that would mark any message with that >particular IP, but nothing seems to work. > >An example that doesn't work (but does --lint just fine) is: > >header ANNOYING_SPAMMER Received =~ /89\-83\-98\-193/ >describe ANNOYING_SPAMMER Mark mail touched by specific IP as spam >score ANNOYING_SPAMMER 15 > >Does SA only scan the most recent Received Header line? If so, the "Header - >Received" syntax wouldn't work because the bad IP is in the original >Received line. In case that was the problem, I also tried the Rawbody >operator to no avail. > >Note that other than this issue, SA appears to be doing everything else just >fine. > >So I am desperate and would be grateful for any suggestions. For reference, >here are my full procmailrc and local.cf files for reference. > >/etc/procmailrc >----------------- >DROPPRIVS=yes >:0fw >* < 256000 >| /usr/bin/spamc -f > >:0 >* ^X-Spam-Level: \*\*\*\*\*\*\*\*\*\*\*\*\*\*\* >/dev/null >---------------- > >/etc/mail/spamassassin/local.cf >----------------- ># Change the subject of suspected spam >rewrite_header subject *****SPAM***** > ># Encapsulate spam in an attachment (0=no, 1=yes, 2=safe) >report_safe 0 > ># Enable the Bayes system >use_bayes 1 > ># Enable Bayes auto-learning >bayes_auto_learn 1 > ># Enable or disable network checks >skip_rbl_checks 0 >use_razor2 1 >#use_dcc 1 >use_pyzor 1 > >header ANNOYING_SPAMMER Received =~ /89\-83\-98\-193/ >describe ANNOYING_SPAMMER Mark mail touched by specific IP as spam >score ANNOYING_SPAMMER 15 >--------------- Can you not block them at your router or firewall? Then they are not taking up threads either. It's how I deal with heavy hitters. Nigel