You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by "Taylor, Jonn" <jo...@taylortelephone.com> on 2011/07/20 03:15:15 UTC
Hundreds of spam from same email
I seeing hundreds of emails from mail.com but it's not coming from them.
Every few hours it jumps to a new sever. Is anyone else getting them?
Jonn
Here is the current one I am getting.
Return-Path: <as...@sreg.dynalias.org>
Received: from qmta12.emeryville.ca.mail.comcast.net ([76.96.27.227] verified)
by taylortelephone.com (CommuniGate Pro SMTP 5.4.0)
with ESMTP id 6361267 for jonnt@taylortelephone.com; Tue, 19 Jul 2011 19:25:30 -0500
Received-SPF: none
receiver=taylortelephone.com; client-ip=76.96.27.227; envelope-from=asterisk@sreg.dynalias.org
Received: from omta21.emeryville.ca.mail.comcast.net ([76.96.30.88])
by qmta12.emeryville.ca.mail.comcast.net with comcast
id A0PY1h0031u4NiLAC0Phqo; Wed, 20 Jul 2011 00:23:41 +0000
Received: from sreg.dynalias.org ([67.181.18.78])
by omta21.emeryville.ca.mail.comcast.net with comcast
id A0Nb1h00B1h46uz8h0NfxZ; Wed, 20 Jul 2011 00:22:39 +0000
Received: by sreg.dynalias.org (Postfix, from userid 100)
id 0C7116B220D; Tue, 19 Jul 2011 02:29:54 -0700 (PDT)
Date: Tue, 19 Jul 2011 02:29:54 -0700
To: jonnt@taylortelephone.com
From: mail@inbox.com
Reply-To:
Subject: d
Message-ID: <91...@67.181.18.78>
X-Priority: 3
X-Mailer: PHPMailer (phpmailer.sourceforge.net) [version ]
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/html; charset="iso-8859-1"
hi how are you nb
And one from earlier.
Return-Path: <as...@pbx.local>
Received: from [69.65.18.26] (HELO pbx.local)
by taylortelephone.com (CommuniGate Pro SMTP 5.4.0)
with ESMTP id 6357066 for jonnt@taylortelephone.com; Tue, 19 Jul 2011 04:33:01 -0500
Received: by pbx.local (Postfix, from userid 100)
id 1F6401F68893; Tue, 19 Jul 2011 04:31:17 -0500 (CDT)
Date: Tue, 19 Jul 2011 04:31:17 -0500
To: jonnt@taylortelephone.com
From: info@me.com
Reply-To:
Subject: ljh
Message-ID: <06...@69.65.18.26>
X-Priority: 3
X-Mailer: PHPMailer (phpmailer.sourceforge.net) [version ]
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/html; charset="iso-8859-1"
hi how are you
And one more.
Return-Path: <as...@voipstarsystems.com>
Received: from mail2.dotsterhost.com ([72.5.54.127] verified)
by taylortelephone.com (CommuniGate Pro SMTP 5.4.0)
with SMTPS id 6357182 for jonnt@taylortelephone.com; Tue, 19 Jul 2011 04:56:38 -0500
Received-SPF: pass
receiver=taylortelephone.com; client-ip=72.5.54.127; envelope-from=asterisk@voipstarsystems.com
Received: (qmail 9270 invoked from network); 19 Jul 2011 09:54:53 -0000
Received: from unknown (HELO trixbox1.voipstarsystems.com) (asterisk@voipstarsystems.com@[66.238.61.86])
by 72.5.54.127 with ESMTPS (DHE-RSA-AES256-SHA encrypted); 19 Jul 2011 09:54:53 -0000
Received: by trixbox1.voipstarsystems.com (Postfix, from userid 100)
id 072CE316188D; Tue, 19 Jul 2011 02:29:01 -0700 (PDT)
Date: Tue, 19 Jul 2011 02:29:00 -0700
To: jonnt@taylortelephone.com
From: info@me.com
Reply-To:
Subject: kj
Message-ID: <fb...@66.238.61.86>
X-Priority: 3
X-Mailer: PHPMailer (phpmailer.sourceforge.net) [version ]
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/html; charset="iso-8859-1"
hi how are you
Re: Hundreds of spam from same email
Posted by JPP <jp...@frws.com>.
On Tue, 19 Jul 2011 20:15:15 -0500, Taylor, Jonn wrote
> I seeing hundreds of emails from mail.com but it's not coming from them.
> Every few hours it jumps to a new sever. Is anyone else getting them?
>
> Jonn
>
> Here is the current one I am getting.
>
> Return-Path: <as...@sreg.dynalias.org>
> Received: from qmta12.emeryville.ca.mail.comcast.net ([76.96.27.227]
verified)
> by taylortelephone.com (CommuniGate Pro SMTP 5.4.0)
> with ESMTP id 6361267 for jonnt@taylortelephone.com; Tue, 19 Jul 2011
19:25:30 -0500
> Received-SPF: none
> receiver=taylortelephone.com; client-ip=76.96.27.227; envelope-
from=asterisk@sreg.dynalias.org
> Received: from omta21.emeryville.ca.mail.comcast.net ([76.96.30.88])
> by qmta12.emeryville.ca.mail.comcast.net with comcast
> id A0PY1h0031u4NiLAC0Phqo; Wed, 20 Jul 2011 00:23:41 +0000
> Received: from sreg.dynalias.org ([67.181.18.78])
> by omta21.emeryville.ca.mail.comcast.net with comcast
> id A0Nb1h00B1h46uz8h0NfxZ; Wed, 20 Jul 2011 00:22:39 +0000
> Received: by sreg.dynalias.org (Postfix, from userid 100)
> id 0C7116B220D; Tue, 19 Jul 2011 02:29:54 -0700 (PDT)
> Date: Tue, 19 Jul 2011 02:29:54 -0700
> To: jonnt@taylortelephone.com
> From: mail@inbox.com
> Reply-To:
> Subject: d
> Message-ID: <91...@67.181.18.78>
> X-Priority: 3
> X-Mailer: PHPMailer (phpmailer.sourceforge.net) [version ]
> MIME-Version: 1.0
> Content-Transfer-Encoding: 8bit
> Content-Type: text/html; charset="iso-8859-1"
>
> hi how are you nb
>
> And one from earlier.
>
> Return-Path: <as...@pbx.local>
> Received: from [69.65.18.26] (HELO pbx.local)
> by taylortelephone.com (CommuniGate Pro SMTP 5.4.0)
> with ESMTP id 6357066 for jonnt@taylortelephone.com; Tue, 19 Jul 2011
04:33:01 -0500
> Received: by pbx.local (Postfix, from userid 100)
> id 1F6401F68893; Tue, 19 Jul 2011 04:31:17 -0500 (CDT)
> Date: Tue, 19 Jul 2011 04:31:17 -0500
> To: jonnt@taylortelephone.com
> From: info@me.com
> Reply-To:
> Subject: ljh
> Message-ID: <06...@69.65.18.26>
> X-Priority: 3
> X-Mailer: PHPMailer (phpmailer.sourceforge.net) [version ]
> MIME-Version: 1.0
> Content-Transfer-Encoding: 8bit
> Content-Type: text/html; charset="iso-8859-1"
>
> hi how are you
>
> And one more.
>
> Return-Path: <as...@voipstarsystems.com>
> Received: from mail2.dotsterhost.com ([72.5.54.127] verified)
> by taylortelephone.com (CommuniGate Pro SMTP 5.4.0)
> with SMTPS id 6357182 for jonnt@taylortelephone.com; Tue, 19 Jul 2011
04:56:38 -0500
> Received-SPF: pass
> receiver=taylortelephone.com; client-ip=72.5.54.127; envelope-
from=asterisk@voipstarsystems.com
> Received: (qmail 9270 invoked from network); 19 Jul 2011 09:54:53 -0000
> Received: from unknown (HELO trixbox1.voipstarsystems.com)
(asterisk@voipstarsystems.com@[66.238.61.86])
> by 72.5.54.127 with ESMTPS (DHE-RSA-AES256-SHA encrypted); 19 Jul 2011
09:54:53 -0000
> Received: by trixbox1.voipstarsystems.com (Postfix, from userid 100)
> id 072CE316188D; Tue, 19 Jul 2011 02:29:01 -0700 (PDT)
> Date: Tue, 19 Jul 2011 02:29:00 -0700
> To: jonnt@taylortelephone.com
> From: info@me.com
> Reply-To:
> Subject: kj
> Message-ID: <fb...@66.238.61.86>
> X-Priority: 3
> X-Mailer: PHPMailer (phpmailer.sourceforge.net) [version ]
> MIME-Version: 1.0
> Content-Transfer-Encoding: 8bit
> Content-Type: text/html; charset="iso-8859-1"
>
> hi how are you
Looks to me like they are using a PHPMailer script off one of your
webservers? Does it send an email to an address they provide? Maybe they are
trying to exploit it?
Just a thought!
JPP
--
FRWS WebMail (http://www.frws.com)
Cause you deserve Spam and Virus free email...
Re: Hundreds of spam from same email
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
Please keep list threads on-list. Even such "thanks, solved" follow-ups
are worthwhile. :)
On Wed, 2011-07-20 at 07:23 -0500, Taylor, Jonn wrote:
> On 07/19/2011 10:04 PM, Karsten Bräckelmann wrote:
[...]
> > Catching those (or at least scoring them severely higher) should be
> > easy. All your samples have a lot in common. Among that is
> >
> > * Their Return-Path :addr (the envelope from) is /^asterisk\@/ in all
> > cases.
> > * The X-Mailer header always matches a spurious / \[version \]/.
[...]
> > Score each of the above moderately, like say 1.0, and score a meta rule
> > matching all three additionally. Almost certain to generate no FPs.
> Thank you for the reply. The latest ones are scoring at 4.9, so I should
> be able to make some slight adjustments to get these to score higher.
Definitely, even scored very moderately, each of the opportunities for a
short rule should single-handedly push the spam over the threshold.
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Hundreds of spam from same email
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
On Tue, 2011-07-19 at 20:15 -0500, Taylor, Jonn wrote:
> I seeing hundreds of emails from mail.com but it's not coming from them.
> Every few hours it jumps to a new sever. Is anyone else getting them?
None of the three samples you pasted are "from mail.com" as you said.
Neither the cosmetic From header, nor the Envelop From.) BTW, please do
NOT forward spam to the list. Put it up somewhere instead, maybe a
pastebin, and send the link.
Catching those (or at least scoring them severely higher) should be
easy. All your samples have a lot in common. Among that is
* Their Return-Path :addr (the envelope from) is /^asterisk\@/ in all
cases.
* The X-Mailer header always matches a spurious / \[version \]/.
* The first Received header (making it strictly the first in the SA rule
is left to the reader and rather irrelevant to catch the spam) matches
in all cases / \(Postfix, from userid 100\)/.
* A Reply-To header exists, but is entirely empty. Probably not that
easy to make a SA rule, though, depending on your SA version. If you
can, score it higher on sight.
Not even to mention the opportunities for scoring on the very short, max
3 chars Subject or body.
Score each of the above moderately, like say 1.0, and score a meta rule
matching all three additionally. Almost certain to generate no FPs.
And to answer the other part of the question: Nope, I have not seen
anything like that myself, on none of my systems.
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}