same spam here, and ClamAV is kicking ass:
*Message ID: m1-99462-30667 Session: 7F3FB66EEBB8 Remote IP: 85.39.186.201 Subject: Ihre Mobilfunk - Rechnung vom 04.11.2014 im Anhang als PDF Sender: fauna...@vodafone.com <fauna...@vodafone.com> Recipients(s): [..] Virus Detected: 'Sanesecurity.Foxhole.Zip_pdf.UNOFFICIAL(ca2d76f66dbfb3f5770252a02bbe2bd8:17622)'* i would suggest you to implement AV check with Foxhole signatures if you haven't yet (and virus scan enabled for whitelisted as well) don't know if this will help but here is my log for this kind of spam: *Nov-04-14 12:11:15 m1-99462-30667 [Worker_1] [TLS-out] 85.39.186.201 <fauna...@vodafone.com <fauna...@vodafone.com>> to: [..] Message-Score: added 42 for DNSBL: neutral, 85.39.186.201 listed in l2.apews.org <http://l2.apews.org> psbl.surriel.com <http://psbl.surriel.com>, total score for this message is now 42* *Nov-04-14 12:11:16 m1-99462-30667 [Worker_1] [TLS-out] 85.39.186.201 <fauna...@vodafone.com <fauna...@vodafone.com>> to: **[..]* * Message-Score: added 20 for BombSubjectRe '[!empty string!]', total score for this message is now 62* *Nov-04-14 12:11:16 m1-99462-30667 [Worker_1] [TLS-out] 85.39.186.201 <fauna...@vodafone.com <fauna...@vodafone.com>> to: **[..] * *Message-Score: added 20 for invalid HELO: 'speedtouch.lan', total score for this message is now 82* *Nov-04-14 12:11:17 m1-99462-30667 [Worker_1] [TLS-out] 85.39.186.201 <fauna...@vodafone.com <fauna...@vodafone.com>> to: **[..]* * Message-Score: added 49 for Bayesian Probability: 0.99991, total score for this message is now 131* *Nov-04-14 12:11:17 m1-99462-30667 [Worker_1] [TLS-out] [MessageLimit] 85.39.186.201 <fauna...@vodafone.com <fauna...@vodafone.com>> to: [...] [spam found] (MessageScore 131, limit 50) [Ihre Mobilfunk Rechnung vom 04 11 2014 im Anhang als PDF] -> spam/Ihre_Mobilfunk_Rechnung_vom_04_11_2014_im_Anhang_a--846171.eml;* *Nov-04-14 12:14:32 m1-99462-30667 [Worker_1] [TLS-out] 85.39.186.201 <fauna...@vodafone.com <fauna...@vodafone.com>> to: [..] ClamAV: scanned 17622 bytes in file spam/Ihre_Mobilfunk_Rechnung_vom_04_11_2014_im_Anhang_a--846171.eml - FOUND Sanesecurity.Foxhole.Zip_pdf.UNOFFICIAL(ca2d76f66dbfb3f5770252a02bbe2bd8:17622)* *Nov-04-14 12:14:32 m1-99462-30667 [Worker_1] [TLS-out] 85.39.186.201 <fauna...@vodafone.com <fauna...@vodafone.com>> to: [..] Message-Score: added 50 (vdValencePB) for virus detected: 'Sanesecurity.Foxhole.Zip_pdf.UNOFFICIAL(ca2d76f66dbfb3f5770252a02bbe2bd8:17622)', total score for this message is now 181* so, it seems that my ASSP is doing its job in this specific case (even if ips, helos and addresses may change). you could try to see if, where and how the message gets scored and set some assp check mandatory even for whitelisted. choose the solution that fits your environment but don't focus on data that may vary a lot from mail to mail (ip, helo, senders...) regards, aqx On Tue, Nov 4, 2014 at 12:24 PM, Christian Leicht <use...@schani.com> wrote: > This time a lot of spam from vodafone goes through. There are bills > but clearly spam. > > I need to put @vodafone.de on the Whitelist. Some Users need to get > mails from Vodafone. > How can i prevet this? > > Christian > > > Return-Path: <coordinat...@vodafone.de> > Delivered-To: christ...@xxx.xx > Received: from it (localhost.localdomain [127.0.0.1]) > by xxx.xx (Postfix) with ESMTP id 6B4C4BD42CD > for <christ...@xxx.xx>; Tue, 4 Nov 2014 12:13:50 +0100 (CET) > Received: from net-188-219-67-34.cust.vodafonedsl.it ([188.219.67.34] > helo=it) by xxx.xx with SMTP (2.4.4); 4 Nov 2014 12:13:43 +0100 > Received: from [87.8.33.15] (helo=hamlbovsaryex.zifhdwyoshqz.com) > by it with esmtpa (Exim 4.69) > (envelope-from ) > id 1MMAQY-7576zg-M9 > for christ...@xxx.xx; Tue, 4 Nov 2014 12:13:56 +0100 > Received: from [11.84.9.50] (helo=jqougkild.lzdxhrpvrt.info) > by it with esmtpa (Exim 4.69) > (envelope-from ) > id 1MMJYC-5729ln-EX > for christ...@xxx.xx; Tue, 4 Nov 2014 12:13:56 +0100 > Date: Tue, 4 Nov 2014 12:13:56 +0100 > From: <vodafone-onlinerechn...@vodafone.com> > To: <christ...@xxx.xx> > Subject: Ihre Mobilfunk - Rechnung vom 04.11.2014 im Anhang als PDF > MIME-Version: 1.0 > X-Priority: 3 > Message-ID: <30931795742378.39205660.55435...@ihknqrlva.pwcpbe.tv> > Content-Type: multipart/mixed; > boundary="----=a__davjcp_26_00_13" > X-Assp-ID: xxx.xx wwl7-99630-05985 > X-Assp-Session: 7F6A806EA7D8 (mail 1) > X-Assp-Detected-RIP: 11.84.9.50, 87.8.33.15 > X-Assp-Source-IP: 11.84.9.50 > X-Assp-Envelope-From: coordinat...@vodafone.de > X-Assp-Intended-For: xxx.xx > X-Assp-Original-Subject: Ihre Mobilfunk - Rechnung vom 04.11.2014 im > Anhang als PDF > X-Assp-Version: 2.4.4(14307) on xxx.xx > X-Assp-Delay: not delayed (whitelisted); 4 Nov 2014 12:13:52 +0100 > X-Assp-Whitelisted: Yes (whiteListedDomains '@vodafone.de') > > > ------------------------------------------------------------------------------ > _______________________________________________ > Assp-user mailing list > Assp-user@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/assp-user > -- "Madness, like small fish, runs in hosts, in vast numbers of instances." Nessuno mi pettina bene come il vento. ------------------------------------------------------------------------------ _______________________________________________ Assp-user mailing list Assp-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-user
