spamassassin-users October 2010 archive
Main Archive Page > Month Archives  > spamassassin-users archives
spamassassin-users: Re: Constant .info domain spam

Re: Constant .info domain spam

From: Karsten Bräckelmann <guenther_at_nospam>
Date: Tue Oct 12 2010 - 22:40:42 GMT
To: users@spamassassin.apache.org

On Wed, 2010-10-13 at 11:16 +1300, Peter Lowish wrote:
> How are RCVD_IN_* rules implemented Karsten?

They are generally DNS BL checks, some of which do (and are safe for)
deep header parsing. Most of them are checked against the handing-over
relay's IP only, though.

They are enabled (by default) by the skip_rbl_checks option, set to 0.
If they have not been disabled deliberately or erroneously, missing of
such rule hits indicates a DNS problem. (If you are using your ISPs DNS
directly or as a forwarder, a local caching non-forwarding DNS usually
solves it.)

Of course, your trusted and internal networks must be correct. SA is
good at guessing them in most cases, but a more complicate setup might
need tweaking.

I mentioned it specifically, because you stated the reported IPs to send
a lot of spam. Thus, they are most likely to be listed with some of the
RBLs.

Can't say more, because you didn't include any information regarding
your environment.

> I have similar spam being sent from such addresses as
> bidwars.uyjqm@trgide.soldiersupplywell.net and I don’t see that rule in the
> matching rules

The sender frequently is forged, or registered for abusive purposes with
a freemail provider. The left-hand part after the dot looks suspiciously
like a forgery.

Anyway, the sender address is irrelevant in the context of relay IP
checks. Like the submitting host's IP, as you mentioned.

What I am missing is an answer to my question, if you are seeing *ANY*
of such rule hits -- and if so, which, and how frequently.

> Running mailwatch for mailscanner with spamassassin

Please do not top-post, and remove unnecessary parts of the quote.
Answering each question right below where it was asked would show you
quickly what's missing. Like, the actual answer to my previous question.

> -----Original Message-----
> From: Karsten Bräckelmann [mailto:guenther@rudersport.de]
> Sent: Wednesday, 13 October 2010 10:05 a.m.
> To: users@spamassassin.apache.org
> Subject: Re: Constant .info domain spam
>
> On Tue, 2010-10-12 at 10:32 -1000, Julian Yap wrote:
> > NOTE: I changed the domains below to 'dot info' as the mailing list
> > rejected my initial submission.
> >
> > I'm pretty sure it's not just me but there is some constant spamming
> > from dot info domains. Perhaps for the past 2 months or so.
> >
> > Often they send hundreds per day and consistently from the same IP's.
> >
> > Are people using automated IP blacklists or something like that?
>
> Yes. SA even uses them by default.
>
> What do your SA rules triggered look like? Check your identified spam.
> Do you see RCVD_IN_* rules?
>
> If not, you are having DNS problems, or deliberately disabled those
> network checks.

-- char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4"; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1: (c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}