You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by dougp23 <do...@gmail.com> on 2007/08/19 20:11:15 UTC

Headers: What do I block here?

So I am seeing some of this stuff, and I want to block it based on headers. 
So here's the header:

Return-Path: <ko...@nexion.biz>
Received: from qmail.example.gov (localhost [127.0.0.1])

	by qmail.example.gov (8.13.1/8.13.1) with ESMTP id l7JFvfer015649

	for <jh...@example.gov>; Sun, 19 Aug 2007 11:57:41 -0400
Received: from qmail.example.gov (root@localhost)

	by qmail.example.gov (8.13.1/8.13.1/Submit) with ESMTP id l7JFvehg015644

	for <jh...@example.gov>; Sun, 19 Aug 2007 11:57:40 -0400
Received: from host-81-190-191-196.kwidzyn.mm.pl
(host-81-190-188-6.kwidzyn.mm.pl [81.190.188.6])

    by qmail.example.gov (Scalix SMTP Relay 11.0.2.17)

    via ESMTP; Sun, 19 Aug 2007 11:57:41 -0400 (EDT)
Received: from domusie ([171.155.47.160] helo=domusie)

	by host-81-190-191-196.kwidzyn.mm.pl ( sendmail 8.13.3/8.13.1) with esmtpa
id 1JDKEi-000RGQ-nl

	for jharvey@example.gov; Sun, 19 Aug 2007 18:27:43 +0200
Date: Sun, 19 Aug 2007 18:27:14 +0200
From: "Nives koye" <ko...@nexion.biz>
To: Judi HarveyOld <jh...@example.gov>
Message-ID: <00...@domusie>
Subject: This effectively deletes the in front of the cursor.
X-MSMail-Priority: Normal
X-Priority: 3
X-Mailer: Microsoft Outlook Express 6.00.2900.3028
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3028
X-Spam-Status: No, score=1.7 required=2.9
tests=BAYES_00,HELO_DYNAMIC_IPADDR,

	HTML_50_60,HTML_MESSAGE autolearn=no version=3.1.8
X-Spam-Level: *
X-Spam-Checker-Version: SpamAssassin 3.1.8 (2007-02-13) on

----rest chopped off

Can I do a blacklist_from the *.pl domain?  I imagine the *.biz one is not
REALLY going to help me, as it will change in the next spam!!!

Thanks anyone!!



-- 
View this message in context: http://www.nabble.com/Headers%3A--What-do-I-block-here--tf4294380.html#a12224676
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.

Re: Headers: What do I block here?

Posted by dougp23 <do...@gmail.com>.

Thanks for the response Matt.
I don't know why RCVD_IN_SORBS_DUL didn't fire off, it is in
/usr/share/spamassassin/50_scores.cf and when I do spamassassin -D --lint it
does say it is using that dir as the default dir for SA rules...

No, when I ping my mailserver, it answers with a real IP address.  My MTA
and SA are on the same box, if that matters.

If you (or anyone else) can think of any other ideas, I'd love to hear them!  
We are getting a fair amount of this new "stock" spam, where words are
broken up with punctuation.

Thank you again!

Doug


Matt Kettler-3 wrote:
> 
> dougp23 wrote:
>> So I am seeing some of this stuff, and I want to block it based on
>> headers. 
>> So here's the header:
>>
>> Return-Path: <ko...@nexion.biz>
>> Received: from qmail.example.gov (localhost [127.0.0.1])
>>
>> 	by qmail.example.gov (8.13.1/8.13.1) with ESMTP id l7JFvfer015649
>>
>> 	for <jh...@example.gov>; Sun, 19 Aug 2007 11:57:41 -0400
>> Received: from qmail.example.gov (root@localhost)
>>
>> 	by qmail.example.gov (8.13.1/8.13.1/Submit) with ESMTP id l7JFvehg015644
>>
>> 	for <jh...@example.gov>; Sun, 19 Aug 2007 11:57:40 -0400
>> Received: from host-81-190-191-196.kwidzyn.mm.pl
>> (host-81-190-188-6.kwidzyn.mm.pl [81.190.188.6])
>>
>>     by qmail.example.gov (Scalix SMTP Relay 11.0.2.17)
>>
>>     via ESMTP; Sun, 19 Aug 2007 11:57:41 -0400 (EDT)
>> Received: from domusie ([171.155.47.160] helo=domusie)
>>
>> 	by host-81-190-191-196.kwidzyn.mm.pl ( sendmail 8.13.3/8.13.1) with
>> esmtpa
>> id 1JDKEi-000RGQ-nl
>>
>> 	for jharvey@example.gov; Sun, 19 Aug 2007 18:27:43 +0200
>> Date: Sun, 19 Aug 2007 18:27:14 +0200
>> From: "Nives koye" <ko...@nexion.biz>
>> To: Judi HarveyOld <jh...@example.gov>
>> Message-ID: <00...@domusie>
>> Subject: This effectively deletes the in front of the cursor.
>> X-MSMail-Priority: Normal
>> X-Priority: 3
>> X-Mailer: Microsoft Outlook Express 6.00.2900.3028
>> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3028
>> X-Spam-Status: No, score=1.7 required=2.9
>> tests=BAYES_00,HELO_DYNAMIC_IPADDR,
>>
>> 	HTML_50_60,HTML_MESSAGE autolearn=no version=3.1.8
>> X-Spam-Level: *
>> X-Spam-Checker-Version: SpamAssassin 3.1.8 (2007-02-13) on
>>
>> ----rest chopped off
>>
>> Can I do a blacklist_from the *.pl domain? 
> No, because neither the From nor Return-Path contains .pl.
> 
> Besides, blacklisting an entire country (or major ISP) is, well, a bit
> of a crude instrument as far as handling email goes. Save such
> approaches for the ignorant cave-men.
> 
> That said, the IP address that sent this message (81.190.188.6) is
> listed in the SORBS DUL list. Perhaps you should look into why
> RCVD_IN_SORBS_DUL didn't fire off.
> 
>  Is your trusted_networks auto-guesser confused? (ie: does your SA box
> resolve "qmail.example.gov" to a private IP address?)
>  
> 
>>  I imagine the *.biz one is not
>> REALLY going to help me, as it will change in the next spam!!!
>>   
> 
> In general this applies to any "from" rule.
> 
> 

-- 
View this message in context: http://www.nabble.com/Headers%3A--What-do-I-block-here--tf4294380.html#a12234991
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.

Re: Headers: What do I block here?

Posted by Matt Kettler <mk...@verizon.net>.

dougp23 wrote:
> So I am seeing some of this stuff, and I want to block it based on headers. 
> So here's the header:
>
> Return-Path: <ko...@nexion.biz>
> Received: from qmail.example.gov (localhost [127.0.0.1])
>
> 	by qmail.example.gov (8.13.1/8.13.1) with ESMTP id l7JFvfer015649
>
> 	for <jh...@example.gov>; Sun, 19 Aug 2007 11:57:41 -0400
> Received: from qmail.example.gov (root@localhost)
>
> 	by qmail.example.gov (8.13.1/8.13.1/Submit) with ESMTP id l7JFvehg015644
>
> 	for <jh...@example.gov>; Sun, 19 Aug 2007 11:57:40 -0400
> Received: from host-81-190-191-196.kwidzyn.mm.pl
> (host-81-190-188-6.kwidzyn.mm.pl [81.190.188.6])
>
>     by qmail.example.gov (Scalix SMTP Relay 11.0.2.17)
>
>     via ESMTP; Sun, 19 Aug 2007 11:57:41 -0400 (EDT)
> Received: from domusie ([171.155.47.160] helo=domusie)
>
> 	by host-81-190-191-196.kwidzyn.mm.pl ( sendmail 8.13.3/8.13.1) with esmtpa
> id 1JDKEi-000RGQ-nl
>
> 	for jharvey@example.gov; Sun, 19 Aug 2007 18:27:43 +0200
> Date: Sun, 19 Aug 2007 18:27:14 +0200
> From: "Nives koye" <ko...@nexion.biz>
> To: Judi HarveyOld <jh...@example.gov>
> Message-ID: <00...@domusie>
> Subject: This effectively deletes the in front of the cursor.
> X-MSMail-Priority: Normal
> X-Priority: 3
> X-Mailer: Microsoft Outlook Express 6.00.2900.3028
> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3028
> X-Spam-Status: No, score=1.7 required=2.9
> tests=BAYES_00,HELO_DYNAMIC_IPADDR,
>
> 	HTML_50_60,HTML_MESSAGE autolearn=no version=3.1.8
> X-Spam-Level: *
> X-Spam-Checker-Version: SpamAssassin 3.1.8 (2007-02-13) on
>
> ----rest chopped off
>
> Can I do a blacklist_from the *.pl domain? 
No, because neither the From nor Return-Path contains .pl.

Besides, blacklisting an entire country (or major ISP) is, well, a bit
of a crude instrument as far as handling email goes. Save such
approaches for the ignorant cave-men.

That said, the IP address that sent this message (81.190.188.6) is
listed in the SORBS DUL list. Perhaps you should look into why
RCVD_IN_SORBS_DUL didn't fire off.

 Is your trusted_networks auto-guesser confused? (ie: does your SA box
resolve "qmail.example.gov" to a private IP address?)
 

>  I imagine the *.biz one is not
> REALLY going to help me, as it will change in the next spam!!!
>   

In general this applies to any "from" rule.