lots of spam getting through lately???

mickalo

Well-Known Member
Apr 16, 2002
782
5
318
N.W. Iowa
Yes local senders always connect through the smtp server from a private address. Outside senders connecting to the smtp directly with private addresses is likely a spammer using a bulk mailing soft from their machines.

Sorry the mistake, here the complete acl:

deny message = RFC 1918 IP address in HELO.
log_message = RFC 1918 IP address
!hosts = +relay_hosts
!authenticated = *
condition = ${if match {$sender_helo_name}{\N^(\[)?(10\.[0-9]{1,3}|172\.(1[6-9]|2[0-9]|31)|192\.168)\.[0-9]{1,3}\.[0-9]{1,3}(\])?$\N}{yes}{no}}



Now this will prevent local senders from being refused. :D

I will post a acl rule that blocks lot of stocks spam.. stay tuned :cool:
Look forward to it :)

thx's
Mickalo
 

Solokron

Well-Known Member
Aug 8, 2003
852
2
168
Seattle
cPanel Access Level
DataCenter Provider
Let me know how it works. My first implementation of the RFC1918 rule ended up in blocking all email.
 

mctDarren

Well-Known Member
Jan 6, 2004
662
6
168
New Jersey
cPanel Access Level
Root Administrator
Anyone else getting hammered with "EQSE" stock spam? Happy to say our setup is stopping 99% of them. Over 8,000 since midnight (9 hours) on one box I am checking right now. Exactly 15 got through. Chirpy's Mailscanner setup, a well trained Bayesian database and zero custom filters required. One happy admin this morning...
 

mohit

Well-Known Member
Jul 12, 2005
553
0
166
Sticky On Internet
Anyone else getting hammered with "EQSE" stock spam?

yes one of my box had 50+ on my own a/c itself.
Any solution to stop this STOCK Bullshi* ????:mad:

I setup block for this in antivirus.exim but other image spams are still attacking

i think having mail scanner on this box would be having a lot of load issues so any other solution ????

see ya,
mohit
 

Un Area

Well-Known Member
Nov 16, 2006
90
1
156
Solokron, you should put the last rule that avoid local senders from being refused. All mail coming to the server from a host machine with a private address is spam.

Please post the log of what is being refused. Thanks.
 

mctDarren

Well-Known Member
Jan 6, 2004
662
6
168
New Jersey
cPanel Access Level
Root Administrator
Interesting post on the SA mailing list today - some folks are saying they are seeing the text phrase "[email protected]" in the message-id of alot of the spam they are getting. I did a quick SQL search through my bayes db and see none, but might be worth a check. I might stick in an ACL on our boxes that denies messages with this phrase if I hear people finding it here...
 
Last edited:

AndyReed

Well-Known Member
PartnerNOC
May 29, 2004
2,217
4
193
Minneapolis, MN
Anyone else getting hammered with "EQSE" stock spam?
Mailscanner is a great application, yet you can achieve the same results of killing 99% of SPAM without it. You need a good set of SA rules from: http://www.rulesemporium.com/rules.htm, SA supporting modules/extensions, and a well written procedure in /etc/antivirus.exim. Now, to kill those SPAM with keywords including EQSE or hi it's, copy and paste the following syntax into your /etc/antivirus.exim:

Code:
#
# ServerTune Exim filter to delete SAPM that contains any of the following keywords
#
if     $header_subject: contains "wrote" or
        $header_subject: contains "The Ultimate Online Pharmaceutical" or
        $header_subject: contains "hi it's" or
        $header_subject: contains "hi It's" or
        $header_subject: contains "EQSE" or
        $message_body: contains "Maya 7" or
        $message_body: contains "Hoodia" or
        then
seen finish
endif
When done, save the file, restart exim and spamd. Wait a few minutes and then run this command to see if it's working:
grep "discarded (system filter)" /var/log/exim_mainlog
You can also run this command and watch the system discard SPAM with the keywords mentioned above:
tail -f /var/log/exim_mainlog

By the way, the vast majority of SPAM with "wrote:" in the subject line can be purged using SARE_STOCKS ruleset for Spamassassin at: http://www.rulesemporium.com/rules.htm#stocks

Enjoy :)
 
Last edited:

mctDarren

Well-Known Member
Jan 6, 2004
662
6
168
New Jersey
cPanel Access Level
Root Administrator
Mailscanner is a great application, yet you can achieve the same results of killing 99% of SPAM without it.
No, Andy, I cannot. As I have said before - I like the flexibility MailScanner offers both myself and my hosting customers. I actually choose to run MS believe it or not. The easy way is to create a quick rule that blocks all email with the words "hi its" in it. For me, I would rather let them all through then see one customer lose one email to a false positive hit.

Which was my point in posting my success. Despite the fact that I don't simply create a quick rule, those emails are still being blocked. Because we train databases, and use SARE rules, and DCC, Razor and RBLs - all combined with MailScanner. Throw a little bit of work at the problem and it pays off in spades.

Case in point: I subscribe to the SARE Users mailing list. There is a thread of mail now entitled Re: [Sare-users] "hi it's" advice. My system let them all through, while still blocking all the spam ones. Well in the interest of being honest, it let through 7 of 3,462 "Hi it's" SPAM emails yesterday on the same box. Your filter in Exim would have blocked them all...

Appreciate your advice, hope it helps someone else. For me, I feel I am on the right path. :D
 
Last edited:

rhenderson

Well-Known Member
Apr 21, 2005
778
2
168
Oklahoma
cPanel Access Level
Root Administrator
I installed it yesterday and it seems to be useful. Together with the SARE stock rules most of the stock spam is being filtered.

One question though, where do you guys install the spamassassin plugins? I added the ImageInfo.pm to /usr/lib/perl5/site_perl/5.8.7/Mail/SpamAssassin/Plugin/ since that's where I found other plugins.

Upgrading perl would obviously mean I would have to reinstall the plugin. Doesn't it make more sense to create a directory /etc/mail/spamassassin/plugins and change the spamassassin plugin path?

You can put it wherever you want and assign the path to it in your init.pre, look at the top of the ImageInfo.pm for the instructions.
 

bsasninja

Well-Known Member
Sep 2, 2004
527
0
166
I have this at antivirus.exim, adding .gif to the rule, this will block emails with .gif attachments. Ok someone knows if it affects embedded gif images?
I hope spam assasin launchs a new version with the image procesing patch included on it.

Bye


# Look for .pif, .scr or .exe in files and REMOVE them!
if $header_content-type: matches "(?:file)?name=(\"[^\"]+\\\\.(?:ad[ep]|exe|pif|scr)\")"
then
seen finish
endif

# same again using unquoted filename [content_type_unquoted_fn_match]
if $header_content-type: matches "(?:file)?name=(\\\\S+\\\\.(?:ad[ep]|exe|pif|scr))"
then
seen finish
endif

# Look for .pif, .scr or .exe in files and REMOVE them!
# Quoted filename - [body_quoted_fn_match]
if $message_body matches "(?:Content-(?:Type:(?>\\\\s*)[\\\\w-]+/[\\\\w-]+|Disposition:(?>\\\\s*)attachment);(?>\\\\s*)(?:f ile)?name=|begin(?>\\\\s+)[0-7]{3,4}(?>\\\\s+))(\"[^\"]+\\\\.(?:ad[ep]|exe|pif|scr)\")[\\\\s;]"
then
seen finish
endif

# same again using unquoted filename [body_unquoted_fn_match]
if $message_body matches "(?:Content-(?:Type:(?>\\\\s*)[\\\\w-]+/[\\\\w-]+|Disposition:(?>\\\\s*)attachment);(?>\\\\s*)(?:f ile)?name=|begin(?>\\\\s+)[0-7]{3,4}(?>\\\\s+))(\\\\S+\\\\.(?:ad[ep]|exe|pif|scr))[\\\\s;]"
then
seen finish
endif
 
Last edited:

wzd

Well-Known Member
Dec 16, 2005
120
1
168
South Africa
cPanel Access Level
Root Administrator
There's been an upsurge int he past few months of zombie spam in which no two emails are alike with embedded images and completely random content.

It's usually stock advice or once again sexual supplement email coming from smartrx.org
----

I'm stuck with just spamassasin and antivirus.exim to protect myself against the spammers. I feel like i'm naked :mad:

Configserv's Mailscanner sounds good but can't use it cause running FreeBSD

Anyone had any luck using fuzzyOCR to stop this image based spam?
 

Un Area

Well-Known Member
Nov 16, 2006
90
1
156
I will post a "home made" rule later that reduce Image Spam at least a 50% (works at antivirus.exim). You know 50% of the image spam is attached as a gif file and the other 50% is embedded into the message.

The rule may be kinda rude cause it deletes all email received to the server that includes .gif attachments. So if a legitimate user is sending for example a gif banner or something to one of the customers in the server as an attachment, it´ll be deleted. (or you can make a white list to avoid some address from being deleted ;) )

The only thing you can to is to tell your customers (to avoid complaints), is to explain them the image spam situation nowadays and have the gif files compressed with zip or rar. (you can do this meanwhile until a good solution to this be done)

The rule doesnt affect users from the server sending out gif files. This ones can be sent without any problem.

The rule is applied to esmtpb, no to the esmtpa (authenticated one).

With this you will only receive those image spam with embedded gif in them. Gif file attachment will be deleted and logged into a file for further research.

Also i have other rule that filters by content-type, for example korean iso, 7-bit, etc will be blocked if you want.

Sometime in the near future spammers change their methods and use jpg instead of gif an so on with other extensions. We have to wait spamassassin next release (I suppose 3.1.8) if it has some solution to this.
This is a war that never ends.

Regards
 
Last edited:

Solokron

Well-Known Member
Aug 8, 2003
852
2
168
Seattle
cPanel Access Level
DataCenter Provider
How are clients supposed to send cyber pics with a rule like that?! :)

In all seriousness, viewing the threads an individual has already posted such rule. I am not so sure I agree with it as it takes a lot of functionality away that many clients expect.

I will post a "home made" rule later that reduce Image Spam at least a 50% (works at antivirus.exim). You know 50% of the image spam is attached as a gif file and the other 50% is embedded into the message.

The rule may be kinda rude cause it deletes all email received to the server that includes .gif attachments. So if a legitimate user is sending for example a gif banner or something to one of the customers in the server as an attachment, it´ll be deleted. (or you can make a white list to avoid some address from being deleted ;) )

The only thing you can to is to tell your customers (to avoid complaints), is to explain them the image spam situation nowadays and have the gif files compressed with zip or rar. (you can do this meanwhile until a good solution to this be done)

The rule doesnt affect users from the server sending out gif files. This ones can be sent without any problem.

The rule is applied to esmtpb, no to the esmtpa (authenticated one).

With this you will only receive those image spam with embedded gif in them. Gif file attachment will be deleted and logged into a file for further research.

Also i have other rule that filters by content-type, for example korean iso, 7-bit, etc will be blocked if you want.

Sometime in the near future spammers change their methods and use jpg instead of gif an so on with other extensions. We have to wait spamassassin next release (I suppose 3.1.8) if it has some solution to this.
This is a war that never ends.

Regards