Marc (et all) -
Thank you for the reply. I will first admit that my SA skills are
very dated. I have not actively managed the product in over ten years.
I distributed the 9 messages as a ZIP file because there were so many
immediate instances. I typically refrain from trying to redact an
example because it does not give a full picture and I may redact what
someone else considers an important part. I'm sure you understand
the other reasons for not sending "real" plain text examples.
I believe I understand your analysis of the IPs you referenced, but I
don't find that Thiland IP or the Google IPs in my examples. The IPs
included in the headers are 10.221.57.15 (useless) and 209.85.208.169
which Google says "Received-SPF: pass (domain of gmail.com designates
209.85.208.169 as permitted sender)" apparently relating to
"Authentication-Results: atlas110.aol.mail.ne1.yahoo.com;". I am not
capable of reading more out of the headers.
If you, or others, are interested in researching how this traffic can
be identified as spam I am interested in learning about the process.
- JimF
At 4/27/2023 12:21 AM, Marc wrote:
>
> For those that would like to investigate, the messages are in the
> attached ZIP. It looks like simple Spamming but I can not assure
> there are no other issues of concern.
>
Put full (redacted) plaint text source message. I can't believe that
message headers do not contain ip addresses. What is this 202.29.234.42?
Your spamassassin should not even be processing messages from
202.29.234.42. Your incoming mail server should not accept mail from
ip's that do no have a correct reverse[2]. Then it is on a dnsbl. So
it should be stopped at that stage.
[1]
[@scripts]# testrbl.sh 202.29.234.42
202.29.234.42
zen.spamhaus.org 127.0.0.11
"https://www.spamhaus.org/query/ip/202.29.234.42;
bl.spamcop.net
dul.rbl-dns.com
rbl..xxx
rblacc..xxx
whitelist..xxx
[2]
[@syslog1 scripts]# digall.sh 202.29.234.42
..
202.29.234.31
202.29.234.32
202.29.234.33
202.29.234.34
202.29.234.35
202.29.234.36
202.29.234.37
202.29.234.38
202.29.234.39
202.29.234.40
202.29.234.41
202.29.234.42
202.29.234.43
202.29.234.44
202.29.234.45
202.29.234.46
202.29.234.47
202.29.234.48
202.29.234.49
202.29.234.50
202.29.234.51
202.29.234.52
202.29.234.53
...
[@syslog1 scripts]# digall.sh 209.85.219.47
209.85.219.0
209.85.219.1mail-qv1-f1.google.com.
209.85.219.2mail-qv1-f2.google.com.
209.85.219.3mail-qv1-f3.google.com.
209.85.219.4mail-qv1-f4.google.com.
209.85.219.5mail-qv1-f5.google.com.
209.85.219.6mail-qv1-f6.google.com.
209.85.219.7mail-qv1-f7.google.com.
209.85.219.8mail-qv1-f8.google.com.
209.85.219.9mail-qv1-f9.google.com.