Lately we've been getting slammed by spam. The bulk of it (no pun intended) is coming from new domains (many just a day or two old) which originate from key-systems gmbh, and all use RRPPROXY.NET as their name servers such as this snippet from whois:
Domain Name: WATTSMINDANDBODYLAB.COM Registrar: KEY-SYSTEMS GMBH Sponsoring Registrar IANA ID: 269 Whois Server: whois.rrpproxy.net Referral URL: http://www.key-systems.net Name Server: NS1.RRPPROXY.NET Name Server: NS2.RRPPROXY.NET Name Server: NS3.RRPPROXY.NET Status: ok http://www.icann.org/epp#OK Updated Date: 19-feb-2015 Creation Date: 19-feb-2015 Expiration Date: 19-feb-2016 The Day Old Bread rules don't seem to catch them. The message is posted in pastebin: http://pastebin.com/9FhgEiwa My scores for this are: SpamAssassin Score: 4.71 Spam Report: Score Matching Rule Description cached score=4.711 5 required -0.00 BAYES_20 Bayesian spam probability is 5 to 20% 2.50 CBJ_Dementia Mail with dementia 1.50 CBJ_Sicko Disease related spam 0.00 HTML_MESSAGE HTML included in message 0.72 MIME_HTML_ONLY Message only has text/html MIME parts -0.00 SPF_HELO_PASS SPF: HELO matches SPF record -0.00 SPF_PASS SPF: sender matches SPF record -0.01 T_RP_MATCHES_RCVD Is there a way to reject or up the score on anything that is served up by that name server or registar? I was thinking maybe putting the rrproxy.net nameserver in my dns as 127.0.0.1, on the theory that if it doesn't resolve the message will be rejected at the MTA level. It would be nice to have a bit more control over it, just in case however. Any pearls of wisdom? Thanks... ...Kevin -- Kevin Miller Network/email Administrator, CBJ MIS Dept. 155 South Seward Street Juneau, Alaska 99801 Phone: (907) 586-0242, Fax: (907) 586-4500 Registered Linux User No: 307357
