296657Re: Spam from DKIM verified senders.
- Nov 14, 2013Hi Michael
Thanks for the information. That's actually something I can use. (I was
beginning to think I was the only one seeing this kind of spam.) I
hadn't thought to check the DNS servers for the domains in question.
I'll try your suggestions for rejection also.
Thanks also to the other respondents. I wasn't explicitly
"whitelisting" these messages, although I accept that using DKIM to
lower the spam scores had essentially the same effect. I've updated my
SpamAssassin config accordingly.
Not sure why my bayesian classifier hasn't picked up on these as yet. I
guess the contents are sufficiently small and different for them to
make it difficult to catch, or maybe I need to re-train my system.
On Thu, 14 Nov 2013 10:25:56 +0100
Michael Storz <Michael.Storz@...> wrote:
> this spam email was sent from one of the Crystone networks. The DNS
> servers for the domain idealils.com are all located on a Crystone
> network. In the last 7 days we have seen about 2.800 different
> mark.NAME@DOMAIN addresses sent from the Crystone networks. Crystone,
> a swedish ISP with networks in a lot of countries is an known hoster
> of snoeshoe spammer, just look at
> One possible solution is to reject every email where the DNS servers
> of the sending domain is sitting in one of the Crystone networks.
> smtpd_sender_restrictions = check_sender_ns_access
> 126.96.36.199/18 REJECT
> 188.8.131.52/24 REJECT
> 184.108.40.206/24 REJECT
> 220.127.116.11/24 REJECT
> 18.104.22.168/24 REJECT
> 22.214.171.124/24 REJECT
> 126.96.36.199/24 REJECT
> 188.8.131.52/24 REJECT
> 184.108.40.206/24 REJECT
> 220.127.116.11/24 REJECT
> This will stop most but not all of these spam emails because some of
> the spam is coming from other networks.
> > Headers (slightly anonymised) below.
> > =============================================================================
> > Return-Path: <mark.morgan@...>
> > X-Spam-Flag: NO
> > X-Spam-Score: -1.829
> > X-Spam-Level:
> > X-Spam-Status: No, score=-1.829 tagged_above=-9999 required=5.31
> > tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
> > DKIM_VALID_AU=-0.1, DKIM_VERIFIED=-1.5,
> > HTML_IMAGE_ONLY_20=1.546, HTML_MESSAGE=0.001,
> > RCVD_IN_BRBL_LASTEXT=1.449, RP_MATCHES_RCVD=-1.324, SPF_PASS=-0.001]
> > Received: from news.idealils.com (news.idealils.com
> > [18.104.22.168])
> > by xxxxx.xxxxxxx.nz (Postfix) with ESMTP id 12D99107776
> > for <xxxxxxx@...>; Thu, 14 Nov 2013 00:09:16
> > +1300 (NZDT) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed;
> > s=dkim; d=idealils.com;
> > h=To:From:Reply-to:Subject:Date:Message-ID:List-Unsubscribe:MIME-Version:Content-Type:Content-Transfer-Encoding;
> > i=mark.morgan@...; bh=VqBrW8MPH2sIF1Xrp9XOaGuQpMU=;
> > b=n0T9AIvicRQk0Uyp7VQ+lGbbWTFu3/YbVHiHn7stOnsVw6coImMRxNiEhj4zsQxlb9rtVlTMOP+f
> > 3THr75b3QyAEziERMBhoXTIHlKcNuNEs2EAysM4tHupD1eoaDZvel8LP7YaQ1qRE0Q79vAsraV4g
> > hHnMlVbwcXT2O+pkY/A= DomainKey-Signature: a=rsa-sha1; c=nofws;
> > q=dns; s=dkim; d=idealils.com;
> > b=HkVGiPiwqj4pJbvzTChjghhe5PP0l5fLF+p5Cwmqxbfl0pD+VBgNONV9YymN8rm0UC01A7JuJo6i
> > 7goHE1LP7oMVBoXkd8KjLAeUi23AZH+kdg3m6ILLgUo+3VuxLSnWkn6h2CdmrxeFbARdmdg6AkbD
> > 3rhrUaJulD9R0P4mR+w=; To: xxxxxxx@...
> > From: "Mark Morgan" <mark.morgan@...>
> > Reply-to: "Mark Morgan" <mark.morgan@...>
> > Subject: Make loads of money by following the instructions
> > Date: Wed, 13 Nov 2013 12:07:02 +0100
> > Message-ID: <ff5d308e8086d879351a7091a4b345d2@...>
> > X-JID: 3761
> > X-Complaints-To: abuse@...
> > X-CID: 100998608
> > List-Unsubscribe:
> > <mailto:unsubscribe@...?subject=100998608-3761>
> > X-Report-Abuse: abuse@... MIME-Version: 1.0
> > Content-Type: multipart/alternative; charset="UTF-8";
> > boundary="8b30e82dd9a73df8f95146a5e68345f5"
> > Content-Transfer-Encoding:
> > 8bit
- << Previous post in topic Next post in topic >>