296648Re: Spam from DKIM verified senders.
- Nov 14, 2013Am 2013-11-13 21:07, schrieb Jeremy Bowen:
> Over the last few months I've been receiving a lot of spam fromHi Jeremy
> different DKIM and SPF verified senders. This tends to slide right
> my anti-spam measures (SpamAssassin/Amavis/RBLs) and straight into my
> Another common feature of these emails is that the sender is *always*
> "Mark" someone or other. Mark Smith, Mark Morgan, Mark Baxter. Mark
> I'm not sure if these domains have been explicitly created with valid
> credentials or if the sites have been hacked, but I'm getting these
> mails daily
> from random different sources, and on multiple different email
> Any suggestions on what I could do to mitigate this?
> Thanks in advance.
this spam email was sent from one of the Crystone networks. The DNS
servers for the domain idealils.com are all located on a Crystone
network. In the last 7 days we have seen about 2.800 different
mark.NAME@DOMAIN addresses sent from the Crystone networks. Crystone, a
swedish ISP with networks in a lot of countries is an known hoster of
snoeshoe spammer, just look at
One possible solution is to reject every email where the DNS servers of
the sending domain is sitting in one of the Crystone networks.
smtpd_sender_restrictions = check_sender_ns_access
This will stop most but not all of these spam emails because some of
the spam is coming from other networks.
> Headers (slightly anonymised) below.
> Return-Path: <mark.morgan@...>
> X-Spam-Flag: NO
> X-Spam-Score: -1.829
> X-Spam-Status: No, score=-1.829 tagged_above=-9999 required=5.31
> tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
> DKIM_VALID_AU=-0.1, DKIM_VERIFIED=-1.5,
> HTML_IMAGE_ONLY_20=1.546, HTML_MESSAGE=0.001,
> RCVD_IN_BRBL_LASTEXT=1.449, RP_MATCHES_RCVD=-1.324, SPF_PASS=-0.001]
> Received: from news.idealils.com (news.idealils.com
> by xxxxx.xxxxxxx.nz (Postfix) with ESMTP id 12D99107776
> for <xxxxxxx@...>; Thu, 14 Nov 2013 00:09:16 +1300
> (NZDT) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=dkim;
> i=mark.morgan@...; bh=VqBrW8MPH2sIF1Xrp9XOaGuQpMU=;
> hHnMlVbwcXT2O+pkY/A= DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns;
> s=dkim; d=idealils.com;
> 3rhrUaJulD9R0P4mR+w=; To: xxxxxxx@...
> From: "Mark Morgan" <mark.morgan@...>
> Reply-to: "Mark Morgan" <mark.morgan@...>
> Subject: Make loads of money by following the instructions
> Date: Wed, 13 Nov 2013 12:07:02 +0100
> Message-ID: <ff5d308e8086d879351a7091a4b345d2@...>
> X-JID: 3761
> X-Complaints-To: abuse@...
> X-CID: 100998608
> X-Report-Abuse: abuse@... MIME-Version: 1.0
> Content-Type: multipart/alternative; charset="UTF-8";
- << Previous post in topic Next post in topic >>