On Sun, Jun 27, 2004 at 08:48:09PM +0200, Michelle Konzack wrote:
Curently I have gotten more the 600.000 Rassist-SPAM's from germany.
All coming from dynamic IP's and not found by the attached INCLUDERC.
Now I have the idea to check the dynamic ip against port 25 and not
for DUL, which mean, if the SPAM is send from a virus Infected system,
I will get no answer, if I check teh port 25 of the sending IP.
I think you're trying too hard to be clever. I get some of those
fascistic German spam messages too. Every one I've gotten (a few
dozen, certainly not 600,000) has been stopped easily by my existing
longstanding header checks for spam.
From my logs:
===> SUBJECT is >Auslaendergewalt: Herr Rau, wo waren Sie? '7283'<
===> TO is >undisclosed-recipients: ;<
===> CC is not present
===> MSGID is
<9b6509bf71d3da(_dot_)2a082(_dot_)qmail(_at_)seic(_dot_)com><
===> DH is >Sat, 26 Jun 2004 10:48:40 GMT<
===> FOGGYCLIENT is >pwnqaeyo.com ([63.227.130.132])<
===> CTYPE is >text/plain<
===> XM is >Mail-SMTP V3.96<
: We're exiting Section HEADERS
: We're entering Section VIRUS
: We're exiting Section VIRUS
: We're entering Section PRECAUTIONS
: We're exiting Section PRECAUTIONS
: We're entering Section WHITELISTS
: We're exiting Section WHITELISTS
: We're entering Section TRUST
>> TRUST has changed from 3 to 0 <<
: We're exiting Section TRUST
: We're entering Section SPAMSNAG
: We're exiting Section SPAMSNAG
: We're entering Section DELIVERY
> Recipe-ID: UBE.TRUST<LOWEST, UBE.SJ.END+(SPACEY|NUMS|NOVOWELS) <
From APeracchia(_at_)seic(_dot_)com Sat Jun 26 12:55:12 2004
Subject: Auslaendergewalt: Herr Rau, wo waren Sie? '7283'
Folder: .myspam/msg.o36U 4272
See that "7283" on the right of the subject? They don't all have
that sort of thing, but lots of them do. That's a good place to start.
This message didn't get even close to lainding in my spool, and all checks
performed are only my standard headers checks written 1-2 years ago.
Here's the end of the log entry from one that did *not* have those numbers
at the end of the Subject but was nonetheless caught:
> Recipe-ID: UBE.RC.LOW_COUNT+TO.!ME+TRUST<HIGH <
From t-online(_dot_)deSMTPw(_dot_)vitt(_at_)t-online(_dot_)de Tue Jun 22
15:34:28 2004
Subject: Mehr fuer Auslaender als fuer Deutsche tun!
Folder: .myspam/msg.dx84 1207
Hell, just blocking on the word "Auslaender" in the subject and without
the user appearing in the To line would be a good start!
--
dman
____________________________________________________________
procmail mailing list Procmail homepage: http://www.procmail.org/
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail