Our hospital has been getting a significant amount of obscene spam
lately from a group called Outblaze. It's getting past both IP
blacklists and SpamAssassin v2.63 using RulesDuJour.
I've been reviewing the headers, and in every case Outblaze is using an
(assumed) open mail relay. They're also changing the From name and the
Reply To, so it's hard to nail it down with that. Further, there's no
consistent verbiage in the email that triggering high SA scores. To make
it worse, by the time I get the complaint, most of the blacklists I use
are already blocking the sending server, but of course they move on to
another one and the cycles begins again.
The only thing consistent I can find is that the originating server,
the one sending to the open mail relay, is always a variation of
Outblaze.com, usually heesun-net.mr.outblaze.com, but the server IP
addresses are all over the place (see enclosed header). Can someone
explain to me how to adjust SA filters to search for that in the header
and give it a high score?
Thanks,
Greg Amy
Hartford Hospital
Received: from gwmail1.harthosp.org
by gwmail.harthosp.org; Mon, 10 May 2004 08:27:22 -0400
Received: from localhost (localhost [127.0.0.1])
by gwmail1.harthosp.org (GWMail1) with ESMTP id 5AA8E68BF
for <[EMAIL PROTECTED]>; Mon, 10 May 2004 08:24:48 -0400
(EDT)
Received: from gwmail1.harthosp.org ([127.0.0.1])
by localhost (gwmail1 [127.0.0.1]) (amavisd-new, port 10024) with
LMTP
id 15864-01-8 for <[EMAIL PROTECTED]>;
Mon, 10 May 2004 08:24:47 -0400 (EDT)
Received: from h49.192.140.67.ip.alltel.net
(h49.192.140.67.ip.alltel.net [67.140.192.49])
by gwmail1.harthosp.org (GWMail1) with SMTP id BF16E657E
for <[EMAIL PROTECTED]>; Mon, 10 May 2004 08:23:49 -0400
(EDT)
Received: from heesun.net (heesun-net.mr.outblaze.com
[205.158.62.177])
by h49.192.140.67.ip.alltel.net (Postfix) with ESMTP id
4D841C9A96
for <[EMAIL PROTECTED]>; Mon, 10 May 2004 08:24:07 -0400
