Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: SpamAssassin: users

Am i sending spam?

 

 

SpamAssassin users RSS feed   Index | Next | Previous | View Threaded


lars.ebeling at leopg9

Dec 23, 2011, 1:10 PM

Post #1 of 19 (1169 views)
Permalink
Am i sending spam?

http://pastebin.com/78gUdaCj
--
Med vänliga hälsningar/Regards
Lars Ebeling
Rentier

http://leopg9.no-ip.org


"I am not young enough to know everything."
-- Oscar Wilde


dfs at roaringpenguin

Dec 23, 2011, 1:14 PM

Post #2 of 19 (1145 views)
Permalink
Re: Am i sending spam? [In reply to]

On Fri, 23 Dec 2011 22:10:22 +0100
"Lars Ebeling" <lars.ebeling [at] leopg9> wrote:

> http://pastebin.com/78gUdaCj

You are not sending spam. Someone on the machine
SR1S4.mesa.gmu.edu [129.174.112.124 connected to your machine and
said:

HELO leopg9.no-ip.org

In other words, the HELO domain was faked. We automatically block mail
from anyone who HELOs as our machine (unless it really *is* from our machine,
of course!)

Regards,

David.


dbfunk at engineering

Dec 23, 2011, 1:44 PM

Post #3 of 19 (1145 views)
Permalink
Re: Am i sending spam? [In reply to]

On Fri, 23 Dec 2011, David F. Skoll wrote:

> On Fri, 23 Dec 2011 22:10:22 +0100
> "Lars Ebeling" <lars.ebeling [at] leopg9> wrote:
>
>> http://pastebin.com/78gUdaCj
>
> You are not sending spam. Someone on the machine
> SR1S4.mesa.gmu.edu [129.174.112.124 connected to your machine and
> said:
>
> HELO leopg9.no-ip.org
>
> In other words, the HELO domain was faked. We automatically block mail
> from anyone who HELOs as our machine (unless it really *is* from our machine,
> of course!)

Not to mention the fact that IP addr is listed in cbl.abuseat.org
as a malware source and that "message.bat" attachment looks -very-
suspicious.

Do you have any kind of AV running in your mail system?
The original of that message gets identified as "Worm.Mydoom.M FOUND"
by ClamAV. We run ClamAV as an input milter filter ahead of spamassasin,
no sense wasting time/cycles on known viri. ;)

--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{


dbfunk at engineering

Dec 23, 2011, 2:03 PM

Post #4 of 19 (1143 views)
Permalink
Re: Am i sending spam? [In reply to]

On Fri, 23 Dec 2011, David B Funk wrote:

> On Fri, 23 Dec 2011, David F. Skoll wrote:
>
>> On Fri, 23 Dec 2011 22:10:22 +0100
>> "Lars Ebeling" <lars.ebeling [at] leopg9> wrote:
>>
>>> http://pastebin.com/78gUdaCj
>>
>> You are not sending spam. Someone on the machine
>> SR1S4.mesa.gmu.edu [.129.174.112.124 connected to your machine and
>> said:
>>
>> HELO leopg9.no-ip.org
>>
>> In other words, the HELO domain was faked. We automatically block mail
>> from anyone who HELOs as our machine (unless it really *is* from our
>> machine,
>> of course!)
>
> Not to mention the fact that IP addr is listed in cbl.abuseat.org
> as a malware source and that "message.bat" attachment looks -very-
> suspicious.
>
> Do you have any kind of AV running in your mail system?
> The original of that message gets identified as "Worm.Mydoom.M FOUND"
> by ClamAV. We run ClamAV as an input milter filter ahead of spamassasin,
> no sense wasting time/cycles on known viri. ;)

One additional odd-tristing thing about that message;
That IP addr ([129.174.112.124]) is listed in multiple DNSBLS
(eg cbl.abuseat.org, zen.spamhaus ) but gets a "whitelist" rating
from hostkarma.junkemailfilter.com.

So if I were to actually believe hostkarma I wouldn't have filtered
that message at all. ;(

Does anybody actually believe hostkarma's "whitelist" ratings?

I've seen lots of blatant spammers get whitelist. I used to
report them to Marc but gave up when after reporting a whitelisted
malware/phish message he replied 'looks ok to me'.


--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{


lars.ebeling at leopg9

Dec 23, 2011, 2:13 PM

Post #5 of 19 (1145 views)
Permalink
Re: Am i sending spam? [In reply to]

----- Original Message -----
From: "David F. Skoll" <dfs [at] roaringpenguin>
To: <users [at] spamassassin>
Sent: Friday, December 23, 2011 10:14 PM
Subject: Re: Am i sending spam?


> On Fri, 23 Dec 2011 22:10:22 +0100
> "Lars Ebeling" <lars.ebeling [at] leopg9> wrote:
>
>> http://pastebin.com/78gUdaCj
>
> You are not sending spam. Someone on the machine
> SR1S4.mesa.gmu.edu [129.174.112.124 connected to your machine and
> said:
>
> HELO leopg9.no-ip.org
>
> In other words, the HELO domain was faked. We automatically block mail
> from anyone who HELOs as our machine (unless it really *is* from our
> machine,
> of course!)
how do you do that?
>
> Regards,
>
> David.
>


dfs at roaringpenguin

Dec 23, 2011, 2:23 PM

Post #6 of 19 (1137 views)
Permalink
Re: Am i sending spam? [In reply to]

On Fri, 23 Dec 2011 23:13:43 +0100
"Lars Ebeling" <lars.ebeling [at] leopg9> wrote:

> > We automatically block mail from anyone who HELOs as our machine
> > (unless it really *is* from our machine, of course!)

> how do you do that?

We use MIMEDefang which lets you code tests like that in Perl.
(So this is done outside of SpamAssassin, but you may be able
to hack a SpamAssassin rule to do it too.)

Regards,

David.


ler at lerctr

Dec 23, 2011, 2:37 PM

Post #7 of 19 (1139 views)
Permalink
Re: Am i sending spam? [In reply to]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 12/23/2011 4:23 PM, David F. Skoll wrote:
> On Fri, 23 Dec 2011 23:13:43 +0100 "Lars Ebeling"
> <lars.ebeling [at] leopg9> wrote:
>
>>> We automatically block mail from anyone who HELOs as our
>>> machine (unless it really *is* from our machine, of course!)
>
>> how do you do that?
>
> We use MIMEDefang which lets you code tests like that in Perl. (So
> this is done outside of SpamAssassin, but you may be able to hack a
> SpamAssassin rule to do it too.)
>
> Regards,
>
> David.
In Exim, I do the following:
# kill off the folks that use OUR ip's in HELO Nice and Early.
drop message = Forged IP detected in HELO: $sender_helo_name
hosts = !+relay_from_hosts
!authenticated = *
condition = ${if \
eq{$sender_helo_name}{$interface_address}{yes}{no}}
# Forged hostname - HELOs as my own hostname or domain (early as well)
drop message = Forged hostname detected in HELO:
$sender_helo_name
hosts = !+relay_from_hosts
!authenticated = *
condition = ${lookup {$sender_helo_name} \

lsearch{/usr/local/etc/exim/checkfiles/our_host_names}{yes}{no}}




- --
Larry Rosenman http://www.lerctr.org/~ler
Phone: +1 512-248-2683 E-Mail: ler [at] lerctr
US Mail: 430 Valona Loop, Round Rock, TX 78681-3893
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJO9QKnAAoJENC8dtAvA1zmv9EIAKReeH0gP6j2oOojXIJ9fMjJ
y32vFdjm8wvzBFxdHIHsqZ88yV//LDEUqq1JPWeFbz0XvXirRAmgJXuF8JAwWIiP
WqttoEsm9ljreZFOTrkH6Ak8DwR0Jx8fBSMIWVU9dcUOLAV2pxnATWAcuoLAIJ5N
dtM4SEiKlypcAEh46D5ih7d4iztMGCDIZLKxSokiUNfRIDU2COVLBdajYUQn2vd6
cmuY2Mr8UlDVETnZZVwJnFGfjsIsWSUsLvV/LFop/Dpq++nlZNxWxaX7QVj+ZoY2
vsQtgj0w7jdfmEpcTVuTv+sFNSo/VjpwhXB0Y0PM1NLiP5w49J0RN8CwpakhBVg=
=WSY8
-----END PGP SIGNATURE-----


dbfunk at engineering

Dec 23, 2011, 3:19 PM

Post #8 of 19 (1137 views)
Permalink
Re: Am i sending spam? [In reply to]

On Fri, 23 Dec 2011, David F. Skoll wrote:

> On Fri, 23 Dec 2011 23:13:43 +0100
> "Lars Ebeling" <lars.ebeling [at] leopg9> wrote:
>
>>> We automatically block mail from anyone who HELOs as our machine
>>> (unless it really *is* from our machine, of course!)
>
>> how do you do that?
>
> We use MIMEDefang which lets you code tests like that in Perl.
> (So this is done outside of SpamAssassin, but you may be able
> to hack a SpamAssassin rule to do it too.)

Ideally this sort of check should be done at the incoming MTA (mx)
level (before it ever gets handed to SA). Right up front do your HELO,
DNS, DNSBL checks of the opening connection and reject right there.
Why let spam in the front door if you know you're going to reject it
later.
Thus these sort of tests are MTA specific. You need to know what
your MTA is and check the appropriate FAQs, lists, config resources
for your MTA.

--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{


p at state-of-mind

Dec 23, 2011, 9:47 PM

Post #9 of 19 (1131 views)
Permalink
Re: Am i sending spam? [In reply to]

* Lars Ebeling <lars.ebeling [at] leopg9>:
> >You are not sending spam. Someone on the machine SR1S4.mesa.gmu.edu
> >[.129.174.112.124 connected to your machine and said:
> >
> >HELO leopg9.no-ip.org
> >
> >In other words, the HELO domain was faked. We automatically block mail
> >from anyone who HELOs as our machine (unless it really *is* from our
> >machine, of course!)
>
> how do you do that?

In Postfix:

smtpd_recipient_restrictions =
...
permit_mynetworks
reject_unauth_destination
...
check_helo_access pcre:/etc/postfix/helo.chk
...

# /etc/postfix/helo.chk
/^mail\.state-of-mind\.de$/ 550 hostname abuse: mail.state-of-mind.de
/^state-of-mind\.de$/ 550 domainname abuse: state-of-mind.de
/^194\.126\.158\.24$/ 550 IP address abuse: 194.126.158.24
/^\[194\.126\.158\.24\]$/ 550 IP address abuse: [194.126.158.24]
/^[0-9.]+$/ 550 RFC 2821 compliance error


HTH,

p [at] ric

--
state of mind ()

http://www.state-of-mind.de

Franziskanerstraße 15 Telefon +49 89 3090 4664
81669 München Telefax +49 89 3090 4666

Amtsgericht München Partnerschaftsregister PR 563


me at junc

Dec 24, 2011, 1:12 AM

Post #10 of 19 (1123 views)
Permalink
Re: Am i sending spam? [In reply to]

On Fri, 23 Dec 2011 22:10:22 +0100, Lars Ebeling wrote:
> http://pastebin.com/78gUdaCj

line 82-86 shows that outlook is slowly dieing :-)

line 86 contains content outside us-ascii, non encoded chars


me at junc

Dec 24, 2011, 2:48 AM

Post #11 of 19 (1121 views)
Permalink
Re: Am i sending spam? [In reply to]

On Fri, 23 Dec 2011 23:13:43 +0100, Lars Ebeling wrote:

>> In other words, the HELO domain was faked. We automatically block
>> mail
>> from anyone who HELOs as our machine (unless it really *is* from our
>> machine,
>> of course!)
> how do you do that?

http://www.impsec.org/~jhardin/antispam/milter-regex.conf

change recipient domain in this example, in generic reject anything
that your own mta use on sending


jhardin at impsec

Dec 24, 2011, 8:45 AM

Post #12 of 19 (1124 views)
Permalink
Re: Am i sending spam? [In reply to]

On Fri, 23 Dec 2011, Lars Ebeling wrote:

> ----- Original Message ----- From: "David F. Skoll" <dfs [at] roaringpenguin>
>> In other words, the HELO domain was faked. We automatically block mail
>> from anyone who HELOs as our machine (unless it really *is* from our
>> machine, of course!)

> how do you do that?

There are several ways, depending on which MTA you use.

I do it using milter-regex. For example:

http://www.impsec.org/~jhardin/antispam/milter-regex.conf

--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin [at] impsec FALaholic #11174 pgpk -a jhardin [at] impsec
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
"Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never
does quite what I want. I wish Christopher Robin was here."
-- Peter da Silva in a.s.r
-----------------------------------------------------------------------
Tomorrow: Christmas


jhardin at impsec

Dec 24, 2011, 8:47 AM

Post #13 of 19 (1123 views)
Permalink
Re: Am i sending spam? [In reply to]

On Sat, 24 Dec 2011, Benny Pedersen wrote:

> On Fri, 23 Dec 2011 23:13:43 +0100, Lars Ebeling wrote:
>
>> > In other words, the HELO domain was faked. We automatically block mail
>> > from anyone who HELOs as our machine (unless it really *is* from our
>> > machine,
>> > of course!)
>> how do you do that?
>
> http://www.impsec.org/~jhardin/antispam/milter-regex.conf
>
> change recipient domain in this example, in generic reject anything that your
> own mta use on sending

Ha. This is what I get for replying to mail as I read it. :)

--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin [at] impsec FALaholic #11174 pgpk -a jhardin [at] impsec
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
"Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never
does quite what I want. I wish Christopher Robin was here."
-- Peter da Silva in a.s.r
-----------------------------------------------------------------------
Tomorrow: Christmas


lars.ebeling at leopg9

Dec 24, 2011, 8:55 AM

Post #14 of 19 (1123 views)
Permalink
Re: Am i sending spam? [In reply to]

I am using Postfix.

/Lars
----- Original Message -----
From: "John Hardin" <jhardin [at] impsec>
To: <users [at] spamassassin>
Sent: Saturday, December 24, 2011 5:47 PM
Subject: Re: Am i sending spam?


> On Sat, 24 Dec 2011, Benny Pedersen wrote:
>
>> On Fri, 23 Dec 2011 23:13:43 +0100, Lars Ebeling wrote:
>>
>>> > In other words, the HELO domain was faked. We automatically block
>>> > mail
>>> > from anyone who HELOs as our machine (unless it really *is* from our
>>> > machine,
>>> > of course!)
>>> how do you do that?
>>
>> http://www.impsec.org/~jhardin/antispam/milter-regex.conf
>>
>> change recipient domain in this example, in generic reject anything that
>> your own mta use on sending
>
> Ha. This is what I get for replying to mail as I read it. :)
>
> --
> John Hardin KA7OHZ http://www.impsec.org/~jhardin/
> jhardin [at] impsec FALaholic #11174 pgpk -a jhardin [at] impsec
> key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
> -----------------------------------------------------------------------
> "Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never
> does quite what I want. I wish Christopher Robin was here."
> -- Peter da Silva in a.s.r
> -----------------------------------------------------------------------
> Tomorrow: Christmas
>


me at junc

Dec 24, 2011, 9:18 AM

Post #15 of 19 (1124 views)
Permalink
Re: Am i sending spam? [In reply to]

On Sat, 24 Dec 2011 08:47:44 -0800 (PST), John Hardin wrote:

> Ha. This is what I get for replying to mail as I read it. :)

+1

can you make it more generic exsample without your own domain in it,
atleast i dont think users will use it unmodified ? :)

mary xmax


jhardin at impsec

Dec 24, 2011, 10:53 AM

Post #16 of 19 (1117 views)
Permalink
Re: Am i sending spam? [In reply to]

On Sat, 24 Dec 2011, Benny Pedersen wrote:

> On Sat, 24 Dec 2011 08:47:44 -0800 (PST), John Hardin wrote:
>
>> Ha. This is what I get for replying to mail as I read it. :)
>
> +1
>
> can you make it more generic exsample without your own domain in it, atleast
> i dont think users will use it unmodified ? :)

Yeah, that's not too hard.

> mary xmax

I think my wife would object.

--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin [at] impsec FALaholic #11174 pgpk -a jhardin [at] impsec
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
"Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never
does quite what I want. I wish Christopher Robin was here."
-- Peter da Silva in a.s.r
-----------------------------------------------------------------------
Tomorrow: Christmas


jhardin at impsec

Dec 24, 2011, 11:42 AM

Post #17 of 19 (1116 views)
Permalink
Re: Am i sending spam? [In reply to]

On Sat, 24 Dec 2011, Benny Pedersen wrote:

> On Sat, 24 Dec 2011 08:47:44 -0800 (PST), John Hardin wrote:
>
>> Ha. This is what I get for replying to mail as I read it. :)
>
> +1
>
> can you make it more generic exsample without your own domain in it, atleast
> i dont think users will use it unmodified ? :)

OK, done.

--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin [at] impsec FALaholic #11174 pgpk -a jhardin [at] impsec
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
"Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never
does quite what I want. I wish Christopher Robin was here."
-- Peter da Silva in a.s.r
-----------------------------------------------------------------------
Tomorrow: Christmas


lars.ebeling at leopg9

Dec 25, 2011, 2:47 AM

Post #18 of 19 (1113 views)
Permalink
Re: Am i sending spam? [In reply to]

To be honest I really don't know how to stop. I tried to create a filter in
my router running TomatoUSB, but didn´t success.

Regards
Lars

----- Original Message -----
From: "Lars Ebeling" <lars.ebeling [at] leopg9>
To: <users [at] spamassassin>
Sent: Saturday, December 24, 2011 5:55 PM
Subject: Re: Am i sending spam?


>I am using Postfix.
>
> /Lars
> ----- Original Message -----
> From: "John Hardin" <jhardin [at] impsec>
> To: <users [at] spamassassin>
> Sent: Saturday, December 24, 2011 5:47 PM
> Subject: Re: Am i sending spam?
>
>
>> On Sat, 24 Dec 2011, Benny Pedersen wrote:
>>
>>> On Fri, 23 Dec 2011 23:13:43 +0100, Lars Ebeling wrote:
>>>
>>>> > In other words, the HELO domain was faked. We automatically block
>>>> > mail
>>>> > from anyone who HELOs as our machine (unless it really *is* from our
>>>> > machine,
>>>> > of course!)
>>>> how do you do that?
>>>
>>> http://www.impsec.org/~jhardin/antispam/milter-regex.conf
>>>
>>> change recipient domain in this example, in generic reject anything that
>>> your own mta use on sending
>>
>> Ha. This is what I get for replying to mail as I read it. :)
>>
>> --
>> John Hardin KA7OHZ http://www.impsec.org/~jhardin/
>> jhardin [at] impsec FALaholic #11174 pgpk -a jhardin [at] impsec
>> key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
>> -----------------------------------------------------------------------
>> "Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never
>> does quite what I want. I wish Christopher Robin was here."
>> -- Peter da Silva in a.s.r
>> -----------------------------------------------------------------------
>> Tomorrow: Christmas
>>
>
>


lars.ebeling at leopg9

Dec 25, 2011, 8:27 AM

Post #19 of 19 (1113 views)
Permalink
Re: Am i sending spam? [In reply to]

I solved the problem (hopefully) with a workaround. I added a rule in
iptables

--
Regards
Lars Ebeling

http://leopg9.no-ip.org

"It is better to keep your mouth shut and appear stupid than to open it and
remove all doubt."
-- Mark Twain



----- Original Message -----
From: "Lars Ebeling" <lars.ebeling [at] leopg9>
To: <users [at] spamassassin>
Sent: Sunday, December 25, 2011 11:47 AM
Subject: Re: Am i sending spam?


> To be honest I really don't know how to stop. I tried to create a filter
> in my router running TomatoUSB, but didn´t success.
>
> Regards
> Lars
>
> ----- Original Message -----
> From: "Lars Ebeling" <lars.ebeling [at] leopg9>
> To: <users [at] spamassassin>
> Sent: Saturday, December 24, 2011 5:55 PM
> Subject: Re: Am i sending spam?
>
>
>>I am using Postfix.
>>
>> /Lars
>> ----- Original Message -----
>> From: "John Hardin" <jhardin [at] impsec>
>> To: <users [at] spamassassin>
>> Sent: Saturday, December 24, 2011 5:47 PM
>> Subject: Re: Am i sending spam?
>>
>>
>>> On Sat, 24 Dec 2011, Benny Pedersen wrote:
>>>
>>>> On Fri, 23 Dec 2011 23:13:43 +0100, Lars Ebeling wrote:
>>>>
>>>>> > In other words, the HELO domain was faked. We automatically block
>>>>> > mail
>>>>> > from anyone who HELOs as our machine (unless it really *is* from
>>>>> > our machine,
>>>>> > of course!)
>>>>> how do you do that?
>>>>
>>>> http://www.impsec.org/~jhardin/antispam/milter-regex.conf
>>>>
>>>> change recipient domain in this example, in generic reject anything
>>>> that your own mta use on sending
>>>
>>> Ha. This is what I get for replying to mail as I read it. :)
>>>
>>> --
>>> John Hardin KA7OHZ http://www.impsec.org/~jhardin/
>>> jhardin [at] impsec FALaholic #11174 pgpk -a jhardin [at] impsec
>>> key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
>>> -----------------------------------------------------------------------
>>> "Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never
>>> does quite what I want. I wish Christopher Robin was here."
>>> -- Peter da Silva in a.s.r
>>> -----------------------------------------------------------------------
>>> Tomorrow: Christmas
>>>
>>
>>
>
>

SpamAssassin users RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.