If you want you could drop the host(95.45.226.126) in Tcp.rules.
I would:)
I did a Dns report on all the listed domains and none of them
reference back to any of the listed domains within the email.
Looks as if a web server with an open mail service has been
hijacked.
Here is the ip for the mx record for rolex.com 91.121.225.225
The one for bigpuddle.net
(0 mail.bigpuddle.net. [TTL=7200] IP=111.223.234.146 (No Glue)
[TTL=6840] [AU])
here is the other from 1seabridge.com
10 mailin.rzone.de. [TTL=7200] IP=81.169.145.102 (No Glue)
[TTL=1800] [DE]
Notice I ripped those from the report.
If you are using Spamassassin then you may be able to match the
Recieve from header for bigpuddle.net.
All done while playing DOD:source,jamming to favorite Hard house
techno and do some catching up on some code :)
I luv my new multiheaded system :)
--Dave
On 11/28/2010 5:57 PM, Eric Shubert wrote:
chkuser
does not use badmailfrom/badmailto. chkuser simply does some
sanity checks.
badmailfrom/badmailto is part of qmail-smtpd itself (not sure if
it's a patch or not).
Does that clear things up?
On 11/28/2010 04:13 PM, Tony White wrote:
Hi Eric,
Not sure I understand your response here!
The badmailfrom is the file I am using yet
you are suggesting I use the "Deliver To"
address which I assumed was used in the Badmailto file?
Anyway here is the header...
From - Sat Nov 27 03:54:12 2010
X-Account-Key: account3
X-UIDL: 1290790248.26966.indialau.bigpuddle.net,S=3431
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
X-Mozilla-Keys:
Return-Path:<[email protected]>
Delivered-To: [email protected]
Received: (qmail 26962 invoked by uid 89); 26 Nov 2010 16:50:47
-0000
Received: from unknown (HELO ?95.45.226.126?) (95.45.226.126)
by indialau.bigpuddle.net with SMTP; 26 Nov 2010 16:50:47 -0000
Received-SPF: none (indialau.bigpuddle.net: domain at
1seabridge.com
does not designate permitted sender hosts)
From: Rolex.com<[email protected]>
To: [email protected]
Subject: [email protected] Rolex.com Now -71%
Mime-Version: 1.0
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
I chose the @rolex.com as it was what is seen in the logs and
using
vwatchall.
Extract from log
2010-11-29 09:58:14.937637500 CHKUSER accepted sender: from
<[email protected]::>
2010-11-29 10:08:20.529856500 CHKUSER accepted sender: from
<[email protected]::>
As can be seen from this that chkuser is accepting the
@rolex.com but
then spamdyke refuses it!
My issue is, why does chkuser accept the sender when it is in
the
badmailfrom list? If chkuser denied
the connection based on the rolex.com in badmailfrom them
spamdyke would
not be called.
On 29/11/2010 9:16 AM, Eric Shubert wrote:
On 11/28/2010 03:08 PM, Tony White
wrote:
Hi folks,
I am trying, still, to block a number of emails in the
Badmailfrom list.
Eric instigated the regex type expressions for me they
entire operation
does not seem to be working.
I have some 150 addresses in the file and none of the are
blocked.
Example
....@rolex\.com$
....@ozgameshop\.com$
\.yourfreeworld\.com$
eli...@gmail\.com$
The rolex one is the primary interest as it seems to get
through no
matter what I do. Is it my regex expressions or does
bamailfrom/
badmailto simply not work?
thanks...
To begin with, the .* at the beginning isn't needed. It will
match
that without the specification, as there is no ^ indicating
the
beginning of the string.
I'm wondering, are you looking at the correct recipient
address? There
are 2, one on the 'envelope' and one on the message itself.
These 2
addresses don't necessarily match, and often do not with spam.
On the
messages that are getting though, take a look at the
"Delivered To:"
header. This is the address that badmailfrom will filter.
Is that perhaps the problem you're having?
--

David Milholen
Project Engineer
P:501-318-1300
|