Loading ...
Sorry, an error occurred while loading the content.

296648Re: Spam from DKIM verified senders.

Expand Messages
  • Michael Storz
    Nov 14, 2013
    • 0 Attachment
      Am 2013-11-13 21:07, schrieb Jeremy Bowen:
      > Over the last few months I've been receiving a lot of spam from
      > various
      > different DKIM and SPF verified senders. This tends to slide right
      > past
      > my anti-spam measures (SpamAssassin/Amavis/RBLs) and straight into my
      > inbox.
      >
      > Another common feature of these emails is that the sender is *always*
      > "Mark" someone or other. Mark Smith, Mark Morgan, Mark Baxter. Mark
      > Random-name.
      >
      > I'm not sure if these domains have been explicitly created with valid
      > DKIM
      > credentials or if the sites have been hacked, but I'm getting these
      > mails daily
      > from random different sources, and on multiple different email
      > accounts/servers.
      >
      > Any suggestions on what I could do to mitigate this?
      > Thanks in advance.
      >

      Hi Jeremy

      this spam email was sent from one of the Crystone networks. The DNS
      servers for the domain idealils.com are all located on a Crystone
      network. In the last 7 days we have seen about 2.800 different
      mark.NAME@DOMAIN addresses sent from the Crystone networks. Crystone, a
      swedish ISP with networks in a lot of countries is an known hoster of
      snoeshoe spammer, just look at
      http://www.spamhaus.org/sbl/listings/crystone.se

      One possible solution is to reject every email where the DNS servers of
      the sending domain is sitting in one of the Crystone networks.

      smtpd_sender_restrictions = check_sender_ns_access
      cidr:/<PATH>/check_sender_ns_access.cidr

      /<PATH>/check_sender_ns_access.cidr:

      83.168.192.0/18 REJECT
      192.36.0.0/24 REJECT
      192.36.4.0/24 REJECT
      192.36.6.0/24 REJECT
      192.36.17.0/24 REJECT
      ...
      194.103.7.0/24 REJECT
      194.132.23.0/24 REJECT
      194.132.107.0/24 REJECT
      194.132.113.0/24 REJECT
      194.132.187.0/24 REJECT

      This will stop most but not all of these spam emails because some of
      the spam is coming from other networks.

      Michael

      >
      > Headers (slightly anonymised) below.
      >
      >
      > =============================================================================
      > Return-Path: <mark.morgan@...>
      > X-Spam-Flag: NO
      > X-Spam-Score: -1.829
      > X-Spam-Level:
      > X-Spam-Status: No, score=-1.829 tagged_above=-9999 required=5.31
      > tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
      > DKIM_VALID_AU=-0.1, DKIM_VERIFIED=-1.5,
      > HTML_IMAGE_ONLY_20=1.546, HTML_MESSAGE=0.001,
      > RCVD_IN_BRBL_LASTEXT=1.449, RP_MATCHES_RCVD=-1.324, SPF_PASS=-0.001]
      > Received: from news.idealils.com (news.idealils.com
      > [192.121.106.196])
      > by xxxxx.xxxxxxx.nz (Postfix) with ESMTP id 12D99107776
      > for <xxxxxxx@...>; Thu, 14 Nov 2013 00:09:16 +1300
      > (NZDT) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=dkim;
      > d=idealils.com;
      >
      > h=To:From:Reply-to:Subject:Date:Message-ID:List-Unsubscribe:MIME-Version:Content-Type:Content-Transfer-Encoding;
      > i=mark.morgan@...; bh=VqBrW8MPH2sIF1Xrp9XOaGuQpMU=;
      >
      > b=n0T9AIvicRQk0Uyp7VQ+lGbbWTFu3/YbVHiHn7stOnsVw6coImMRxNiEhj4zsQxlb9rtVlTMOP+f
      >
      > 3THr75b3QyAEziERMBhoXTIHlKcNuNEs2EAysM4tHupD1eoaDZvel8LP7YaQ1qRE0Q79vAsraV4g
      > hHnMlVbwcXT2O+pkY/A= DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns;
      > s=dkim; d=idealils.com;
      >
      > b=HkVGiPiwqj4pJbvzTChjghhe5PP0l5fLF+p5Cwmqxbfl0pD+VBgNONV9YymN8rm0UC01A7JuJo6i
      >
      > 7goHE1LP7oMVBoXkd8KjLAeUi23AZH+kdg3m6ILLgUo+3VuxLSnWkn6h2CdmrxeFbARdmdg6AkbD
      > 3rhrUaJulD9R0P4mR+w=; To: xxxxxxx@...
      > From: "Mark Morgan" <mark.morgan@...>
      > Reply-to: "Mark Morgan" <mark.morgan@...>
      > Subject: Make loads of money by following the instructions
      > Date: Wed, 13 Nov 2013 12:07:02 +0100
      > Message-ID: <ff5d308e8086d879351a7091a4b345d2@...>
      > X-JID: 3761
      > X-Complaints-To: abuse@...
      > X-CID: 100998608
      > List-Unsubscribe:
      > <mailto:unsubscribe@...?subject=100998608-3761>
      > X-Report-Abuse: abuse@... MIME-Version: 1.0
      > Content-Type: multipart/alternative; charset="UTF-8";
      > boundary="8b30e82dd9a73df8f95146a5e68345f5"
      > Content-Transfer-Encoding:
      > 8bit
    • Show all 8 messages in this topic