> > For those that would like to investigate, the messages are in the > attached ZIP. It looks like simple Spamming but I can not assure > there are no other issues of concern. >
Put full (redacted) plaint text source message. I can't believe that message headers do not contain ip addresses. What is this 202.29.234.42? Your spamassassin should not even be processing messages from 202.29.234.42. Your incoming mail server should not accept mail from ip's that do no have a correct reverse[2]. Then it is on a dnsbl. So it should be stopped at that stage. [1] [@scripts]# testrbl.sh 202.29.234.42 202.29.234.42 zen.spamhaus.org 127.0.0.11 "https://www.spamhaus.org/query/ip/202.29.234.42" bl.spamcop.net dul.rbl-dns.com rbl.xxxx.xxx rblacc.xxxx.xxx whitelist.xxxx.xxx [2] [@syslog1 scripts]# digall.sh 202.29.234.42 .. 202.29.234.31 202.29.234.32 202.29.234.33 202.29.234.34 202.29.234.35 202.29.234.36 202.29.234.37 202.29.234.38 202.29.234.39 202.29.234.40 202.29.234.41 202.29.234.42 202.29.234.43 202.29.234.44 202.29.234.45 202.29.234.46 202.29.234.47 202.29.234.48 202.29.234.49 202.29.234.50 202.29.234.51 202.29.234.52 202.29.234.53 ... [@syslog1 scripts]# digall.sh 209.85.219.47 209.85.219.0 209.85.219.1 mail-qv1-f1.google.com. 209.85.219.2 mail-qv1-f2.google.com. 209.85.219.3 mail-qv1-f3.google.com. 209.85.219.4 mail-qv1-f4.google.com. 209.85.219.5 mail-qv1-f5.google.com. 209.85.219.6 mail-qv1-f6.google.com. 209.85.219.7 mail-qv1-f7.google.com. 209.85.219.8 mail-qv1-f8.google.com. 209.85.219.9 mail-qv1-f9.google.com.