Tony,
Not sure if it is because a host from 95.45.226.126 seems to be using its domain to traffic services.

here is the link for bigpuddle.net
http://www.dnsstuff.com/tools/dnsreport?domain=bigpuddle.net&format=raw&loadresults=true&token=0351777ac0e8c1390256b1040d873012

Here is the report on this reverse lookup on ip 95.45.226.126
http://www.dnsstuff.com/tools/ptr?ip=95.45.226.126&server=&token=0341a3dac642c3da0ad6d40411bad019

Here is another report on ip 95.45.226.126
http://www.dnsstuff.com/tools/ipall?ip=95.45.226.126

looks as if it is a spambot originating out of Ireland with no reverse entry or authenticity
Definitely a spamborg thingy LOL.

I would do at least a 95.45.:deny in my tcp.rules
 or add a drop rule for the whole block /15 in your firewall for smtp port 25.

iptables -A INPUT -p tcp -s 95.44.0.0./15 --dport 25 -j DROP

If you ever need to whitelist an ip in this block place it before this rule set

iptables -A INPUT -p tcp -s 95.44.20.2/15 --dport 25 -j ACCEPT

This is why I like spamdyke because I can remove these rules in my firewall and let spamdyke do all the work.
Just by adding or removing the ip,domain or sender from a list.

Hope this helps.

--Dave
 
On 11/28/2010 8:07 PM, Tony White wrote:
Hi Dave,
  Are you suggesting that the server bigpuddle.net has been hijacked?
If so how did you come to that conclusion and what would the remedy be?


On 29/11/2010 12:17 PM, David Milholen wrote:
If you want you could drop the host(95.45.226.126) in Tcp.rules.
I would:)
I did a Dns report on all the listed domains and none of them reference back to any of the listed domains within the email.
 Looks as if a web server with an open mail service has been hijacked.

 Here is the ip for the mx record for rolex.com 91.121.225.225
The one for bigpuddle.net
(0 mail.bigpuddle.net. [TTL=7200] IP=111.223.234.146 (No Glue) [TTL=6840] [AU])

here is the other from 1seabridge.com
10 mailin.rzone.de. [TTL=7200] IP=81.169.145.102 (No Glue) [TTL=1800] [DE]

Notice I ripped those from  the report.

If you are using Spamassassin then you may be able to match the Recieve from header for bigpuddle.net.

All done while playing DOD:source,jamming to favorite Hard house techno and do some catching up on some code :)
I luv my new multiheaded system :)

--Dave

On 11/28/2010 5:57 PM, Eric Shubert wrote:
chkuser does not use badmailfrom/badmailto. chkuser simply does some sanity checks.

badmailfrom/badmailto is part of qmail-smtpd itself (not sure if it's a patch or not).

Does that clear things up?

On 11/28/2010 04:13 PM, Tony White wrote:
Hi Eric,
Not sure I understand your response here!
The badmailfrom is the file I am using yet
you are suggesting I use the "Deliver To"
address which I assumed was used in the Badmailto file?

Anyway here is the header...

 From - Sat Nov 27 03:54:12 2010
X-Account-Key: account3
X-UIDL: 1290790248.26966.indialau.bigpuddle.net,S=3431
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
X-Mozilla-Keys:
Return-Path:<[email protected]>
Delivered-To: [email protected]
Received: (qmail 26962 invoked by uid 89); 26 Nov 2010 16:50:47 -0000
Received: from unknown (HELO ?95.45.226.126?) (95.45.226.126)
by indialau.bigpuddle.net with SMTP; 26 Nov 2010 16:50:47 -0000
Received-SPF: none (indialau.bigpuddle.net: domain at 1seabridge.com
does not designate permitted sender hosts)
From: Rolex.com<[email protected]>
To: [email protected]
Subject: [email protected] Rolex.com Now -71%
Mime-Version: 1.0
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable


I chose the @rolex.com as it was what is seen in the logs and using
vwatchall.

Extract from log
2010-11-29 09:58:14.937637500 CHKUSER accepted sender: from
<[email protected]::>
2010-11-29 10:08:20.529856500 CHKUSER accepted sender: from
<[email protected]::>

As can be seen from this that chkuser is accepting the @rolex.com but
then spamdyke refuses it!
My issue is, why does chkuser accept the sender when it is in the
badmailfrom list? If chkuser denied
the connection based on the rolex.com in badmailfrom them spamdyke would
not be called.




On 29/11/2010 9:16 AM, Eric Shubert wrote:
On 11/28/2010 03:08 PM, Tony White wrote:
Hi folks,
I am trying, still, to block a number of emails in the Badmailfrom list.
Eric instigated the regex type expressions for me they entire operation
does not seem to be working.
I have some 150 addresses in the file and none of the are blocked.

Example
....@rolex\.com$
....@ozgameshop\.com$
\.yourfreeworld\.com$
eli...@gmail\.com$


The rolex one is the primary interest as it seems to get through no
matter what I do. Is it my regex expressions or does bamailfrom/
badmailto simply not work?

thanks...


To begin with, the .* at the beginning isn't needed. It will match
that without the specification, as there is no ^ indicating the
beginning of the string.

I'm wondering, are you looking at the correct recipient address? There
are 2, one on the 'envelope' and one on the message itself. These 2
addresses don't necessarily match, and often do not with spam. On the
messages that are getting though, take a look at the "Delivered To:"
header. This is the address that badmailfrom will filter.

Is that perhaps the problem you're having?






-- 

David Milholen
Project Engineer
P:501-318-1300



--

David Milholen
Project Engineer
P:501-318-1300

Reply via email to