[IMGate] new rule

Tue, 18 Sep 2007 08:55:01 -0700 

This won't catch a lot, but it could give you IPs or Class C's to 
block. I noted some stuff getting through to me where a header was:

x: ZRlJFRUtJVEBCUkVOREFTQ1JJVkVORVIuQ09NZ

....probably some kind of spam tracking code.

and FROM: was illegal stuff (carat is illegal in sender field):

from=<[EMAIL PROTECTED]>

in header_checks.regep:

/(^x: .*)/ DISCARD x: header = "$1"


the $1 write the expression to the log line.  If you want to test, 
replace DISCARD with WARN or HOLD

Here's a command to report hits by PTR[ip] sorted by IP:

egrep -i "discard:.*x: header" /var/log/maillog | cut -d ";" -f 1 | 
awk '{print $NF}' | sort -fn | uniq -ic | sort -t[ -k2

    1 flail03.intentwishes.com[205.150.40.18]
    1 flail04.intentwishes.com[205.150.40.19]
    1 flail05.intentwishes.com[205.150.40.20]
    1 flail06.intentwishes.com[205.150.40.21]
    3 flail07.intentwishes.com[205.150.40.22]
    3 flail08.intentwishes.com[205.150.40.23]
    1 flail09.intentwishes.com[205.150.40.24]
    1 alpha02.fimaan.com[207.139.124.131]
    6 great06.awareintentions.com[208.76.108.71]
   10 great07.awareintentions.com[208.76.108.72]
   16 great08.awareintentions.com[208.76.108.73]
   14 great09.awareintentions.com[208.76.108.74]
   13 great10.awareintentions.com[208.76.108.75]
    2 allotmentmead.com[208.77.224.176]
    2 additionafield.com[208.77.224.179]
    1 liablecleanup.com[208.77.224.181]
    1 undersilvery.com[208.77.224.182]
    2 flare1.loyalelites.com[209.205.34.132]
    1 flare2.loyalelites.com[209.205.34.133]
    1 flail12.intentwishes.com[216.94.105.138]
    2 flail15.intentwishes.com[216.94.105.141]
    1 unknown[216.94.105.6]
    2 colorful50.newlyfoundsight.com[216.94.187.77]
    2 colorful49.newlyfoundsight.com[216.94.187.78]
    3 colorful48.newlyfoundsight.com[216.94.187.79]
    1 colorful47.newlyfoundsight.com[216.94.187.80]
    3 colorful46.newlyfoundsight.com[216.94.187.81]
    1 unknown[216.94.241.131]
    2 general38.treasuredidea.com[216.94.244.81]
    2 general35.treasuredidea.com[216.94.244.84]
    1 general34.treasuredidea.com[216.94.244.85]
    1 general33.treasuredidea.com[216.94.244.86]
    1 general32.treasuredidea.com[216.94.244.87]
    1 general29.treasuredidea.com[216.94.244.90]
    1 general28.treasuredidea.com[216.94.244.91]
    1 general25.treasuredidea.com[216.94.244.94]
    1 general24.treasuredidea.com[216.94.244.95]
    1 general23.treasuredidea.com[216.94.244.96]
    1 general22.treasuredidea.com[216.94.244.97]
    2 general20.treasuredidea.com[216.94.244.99]

The domain names look all like junk/senseless domain names used by spammers.

Len

Reply via email to