Loading ...
Sorry, an error occurred while loading the content.

296657Re: Spam from DKIM verified senders.

Expand Messages
  • Jeremy Bowen
    Nov 14, 2013
      Hi Michael

      Thanks for the information. That's actually something I can use. (I was
      beginning to think I was the only one seeing this kind of spam.) I
      hadn't thought to check the DNS servers for the domains in question.
      I'll try your suggestions for rejection also.

      Thanks also to the other respondents. I wasn't explicitly
      "whitelisting" these messages, although I accept that using DKIM to
      lower the spam scores had essentially the same effect. I've updated my
      SpamAssassin config accordingly.

      Not sure why my bayesian classifier hasn't picked up on these as yet. I
      guess the contents are sufficiently small and different for them to
      make it difficult to catch, or maybe I need to re-train my system.

      J


      On Thu, 14 Nov 2013 10:25:56 +0100
      Michael Storz <Michael.Storz@...> wrote:
      > this spam email was sent from one of the Crystone networks. The DNS
      > servers for the domain idealils.com are all located on a Crystone
      > network. In the last 7 days we have seen about 2.800 different
      > mark.NAME@DOMAIN addresses sent from the Crystone networks. Crystone,
      > a swedish ISP with networks in a lot of countries is an known hoster
      > of snoeshoe spammer, just look at
      > http://www.spamhaus.org/sbl/listings/crystone.se
      >
      > One possible solution is to reject every email where the DNS servers
      > of the sending domain is sitting in one of the Crystone networks.
      >
      > smtpd_sender_restrictions = check_sender_ns_access
      > cidr:/<PATH>/check_sender_ns_access.cidr
      >
      > /<PATH>/check_sender_ns_access.cidr:
      >
      > 83.168.192.0/18 REJECT
      > 192.36.0.0/24 REJECT
      > 192.36.4.0/24 REJECT
      > 192.36.6.0/24 REJECT
      > 192.36.17.0/24 REJECT
      > ...
      > 194.103.7.0/24 REJECT
      > 194.132.23.0/24 REJECT
      > 194.132.107.0/24 REJECT
      > 194.132.113.0/24 REJECT
      > 194.132.187.0/24 REJECT
      >
      > This will stop most but not all of these spam emails because some of
      > the spam is coming from other networks.
      >
      > Michael
      >
      > >
      > > Headers (slightly anonymised) below.
      > >
      > >
      > > =============================================================================
      > > Return-Path: <mark.morgan@...>
      > > X-Spam-Flag: NO
      > > X-Spam-Score: -1.829
      > > X-Spam-Level:
      > > X-Spam-Status: No, score=-1.829 tagged_above=-9999 required=5.31
      > > tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
      > > DKIM_VALID_AU=-0.1, DKIM_VERIFIED=-1.5,
      > > HTML_IMAGE_ONLY_20=1.546, HTML_MESSAGE=0.001,
      > > RCVD_IN_BRBL_LASTEXT=1.449, RP_MATCHES_RCVD=-1.324, SPF_PASS=-0.001]
      > > Received: from news.idealils.com (news.idealils.com
      > > [192.121.106.196])
      > > by xxxxx.xxxxxxx.nz (Postfix) with ESMTP id 12D99107776
      > > for <xxxxxxx@...>; Thu, 14 Nov 2013 00:09:16
      > > +1300 (NZDT) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed;
      > > s=dkim; d=idealils.com;
      > >
      > > h=To:From:Reply-to:Subject:Date:Message-ID:List-Unsubscribe:MIME-Version:Content-Type:Content-Transfer-Encoding;
      > > i=mark.morgan@...; bh=VqBrW8MPH2sIF1Xrp9XOaGuQpMU=;
      > >
      > > b=n0T9AIvicRQk0Uyp7VQ+lGbbWTFu3/YbVHiHn7stOnsVw6coImMRxNiEhj4zsQxlb9rtVlTMOP+f
      > >
      > > 3THr75b3QyAEziERMBhoXTIHlKcNuNEs2EAysM4tHupD1eoaDZvel8LP7YaQ1qRE0Q79vAsraV4g
      > > hHnMlVbwcXT2O+pkY/A= DomainKey-Signature: a=rsa-sha1; c=nofws;
      > > q=dns; s=dkim; d=idealils.com;
      > >
      > > b=HkVGiPiwqj4pJbvzTChjghhe5PP0l5fLF+p5Cwmqxbfl0pD+VBgNONV9YymN8rm0UC01A7JuJo6i
      > >
      > > 7goHE1LP7oMVBoXkd8KjLAeUi23AZH+kdg3m6ILLgUo+3VuxLSnWkn6h2CdmrxeFbARdmdg6AkbD
      > > 3rhrUaJulD9R0P4mR+w=; To: xxxxxxx@...
      > > From: "Mark Morgan" <mark.morgan@...>
      > > Reply-to: "Mark Morgan" <mark.morgan@...>
      > > Subject: Make loads of money by following the instructions
      > > Date: Wed, 13 Nov 2013 12:07:02 +0100
      > > Message-ID: <ff5d308e8086d879351a7091a4b345d2@...>
      > > X-JID: 3761
      > > X-Complaints-To: abuse@...
      > > X-CID: 100998608
      > > List-Unsubscribe:
      > > <mailto:unsubscribe@...?subject=100998608-3761>
      > > X-Report-Abuse: abuse@... MIME-Version: 1.0
      > > Content-Type: multipart/alternative; charset="UTF-8";
      > > boundary="8b30e82dd9a73df8f95146a5e68345f5"
      > > Content-Transfer-Encoding:
      > > 8bit
      >
    • Show all 8 messages in this topic