[EMAIL PROTECTED](Bart Silverstrim) 16.05.05 11:05
>I did enter it in when I first discovered it, but there were no hits. Ok, next time mention it ;-) >I thought perhaps it was too new at the time, and then turned to the >lists to corroborate what I was seeing. >> Many of them are pointing to websites of >> reputated printed newletters/magazins like "Der Spiegel". >Apparently it will be very hard to block if it's just text without >extra spammer tricks in it to bypass filters... There is a list of known subjects which can be feed into spamassasign. But in a few days that spam will stop. >or at least not enough >to cross the threshold of spam vs. regular mail. >> Write complaints to the owners of the IP blocks! >> The "MAIL FROM" is always faked. >> The URL-owner is mostly "innocent" too. >> >> Block all mails from dynamic IP. >> They are 99,99% spam. >Is there a way to do that with the access file/postmap in postfix? >Block sender IP's/IP blocks? Sounds good. There are "RBL" realtime black list which lists all known dynamic IPs. Another way ist to trigger on the strings link "dial" "dyn" "ADSL" "cable" in the reverse name. Rejecting all IP which do not have an rDNS is helpfull too. But have an exact look on the logfiles! >I thought it was odd that our hammering from particular sober.p >infections were consistent in IP. I scanned out logfile today: there where >If they were spoofing (this was from the logs that I extracted that grep), >then why wouldn't I have 16000 different sober.p sources instead of a >few of them over and over? They use 16000 different home PCs infected before. TCP IP spoofing is very difficult, and if they could it, they would use it just to sent spam. But too there are bigger engine "owned". Rainer _______________________________________________ http://lurker.clamav.net/list/clamav-users.html
