Spammer whitelisted by spamd. How?

Sat, 04 Feb 2017 01:04:19 -0800

Can someone explain how the spammer at 81.7.16.33 got white listed by spamd and delivered 3 spam emails to me? What exactly triggered the white listing?
I may not understand spamd's behavior, but according to the spamd log below, the spammer attempted only 5 deliveries via spamd, each with a different envelope-from address. Correct? 


If so, shouldn't white listing be considered only if, during passtime, 
the retries from a GREY host contain the same envelope-from and 
envelope-to? Legitimate mail would be resent with the same 
envelope-from/-to, but spammers (this one in particular) often do not. 
Ensuring consistent envelope addresses may be a way to stop more spam. No?



# passtime set short as I'm currently experimenting
$ rcctl get spamd | grep flags
spamd_flags=-G 1:10:1080

$ fgrep 81.7.16.33 /var/log/spamd
Feb  3 16:58:27 zeus spamd[34374]: 81.7.16.33: connected (3/1)

Feb  3 17:00:05 zeus spamd[21625]: new entry 81.7.16.33 from 
<requ...@minyu1esc.com> to <cl...@t...com>, helo minyu1esc.com
Feb  3 17:00:10 zeus spamd[34374]: 81.7.16.33: disconnected after 103 
seconds.

Feb  3 17:06:50 zeus spamd[34374]: 81.7.16.33: connected (3/2)

Feb  3 17:07:10 zeus spamd[21625]: new entry 81.7.16.33 from 
<viticult...@minyu1esc.com> to <cl...@t...com>, helo minyu1esc.com
Feb  3 17:07:10 zeus spamd[34374]: 81.7.16.33: disconnected after 20 
seconds.

Feb  3 17:07:47 zeus spamd[34374]: 81.7.16.33: connected (3/2)

Feb  3 17:08:00 zeus spamd[21625]: new entry 81.7.16.33 from 
<unlan...@minyu1esc.com> to <cl...@t...com>, helo minyu1esc.com
Feb  3 17:08:02 zeus spamd[34374]: 81.7.16.33: disconnected after 15 
seconds.

Feb  3 17:08:28 zeus spamd[34374]: 81.7.16.33: connected (4/3)

Feb  3 17:08:41 zeus spamd[21625]: new entry 81.7.16.33 from 
<preballanc...@minyu1esc.com> to <cl...@t...com>, helo minyu1esc.com
Feb  3 17:08:41 zeus spamd[34374]: 81.7.16.33: disconnected after 13 
seconds.

Feb  3 17:10:22 zeus spamd[34374]: 81.7.16.33: connected (4/3)

Feb  3 17:10:39 zeus spamd[21625]: new entry 81.7.16.33 from 
<synonym...@minyu1esc.com> to <cl...@t...com>, helo minyu1esc.com
Feb  3 17:10:39 zeus spamd[34374]: 81.7.16.33: disconnected after 17 
seconds.

Feb  3 17:12:13 zeus spamd[34374]: 81.7.16.33: connected (5/4)

Feb  3 17:12:29 zeus spamd[34374]: 81.7.16.33: disconnected after 16 
seconds.

Feb  3 17:12:50 zeus spamd[17428]: queueing add of 81.7.16.33
Feb  3 17:12:50 zeus spamd[17428]: whitelisting 81.7.16.33 in /var/db/spamd























					Reply via email to