Greetings,
I'm seeing incoming spam at a rate of 2-3 a minute per user and I'm
having trouble properly identifying these as spam with spamassassin.
Or, alternatively, blocking them.
It appears that each mail is sent by a unique IP, so it doesn't look
like a simple firewall rule will stop this. There are certain
characteristics that seem to match on most of these, though. Firstly,
the To: address in the header is a non-existant user at my domain.
The actual user receiving the mail, however, appears to be a BCC
recipient.. And lastly, if you hit the domain via http, it forwards
to PayDayAngels which a lot of these mails seem to be doing..
It doesn't appear that these messages are triggering many rules at all, however.
Does anyone have any idea how I can trigger on these and block them?
Return-Path: <[EMAIL PROTECTED]>
Delivered-To: [EMAIL PROTECTED]
Received: (qmail 25527 invoked by uid 89); 11 May 2007 22:24:10 -0000
Received: by simscan 1.2.0 ppid: 25000, pid: 25501, t: 1.7225s
scanners: clamav: 0.90/m:42 spam: 3.1.7
X-Spam-Checker-Version: SpamAssassin 3.2.0 (2007-05-01) on mail1.example.com
X-Spam-Level:
X-Spam-Status: No, score=0.9 required=5.0 tests=SPF_HELO_PASS,URIBL_RHS_DOB
autolearn=no version=3.2.0
Received: from crowflies43.mowcraving.com (65.111.26.43)
by 0 with SMTP; 11 May 2007 22:24:09 -0000
Received-SPF: pass ((null): domain of [EMAIL PROTECTED] designates
65.111.26.43 as permitted sender) receiver=(null);
client_ip=65.111.26.43; envelope-fr
[EMAIL PROTECTED];
X-Originating-Email: [EMAIL PROTECTED]
X-Sender: [EMAIL PROTECTED]
From: "DirectInsureOnline" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Subject: If an emergency strikes. Does your insurance protect your loved ones?
Date: Fri, 11 May 2007 18:17:40 -0500
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Message-ID: <[EMAIL PROTECTED]>
Thanks,
--
Jason 'XenoPhage' Frisvold
[EMAIL PROTECTED]
http://blog.godshell.com
