-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hi there -- it's very important to note that Outblaze are *not* responsible. In fact, it's one spamming tool that persistently forges this header. Any mail with a Received header containing "mr.outblaze.com" can be dropped, as that domain does not exist. Spam Admin writes: > Our hospital has been getting a significant amount of obscene spam > lately from a group called Outblaze. It's getting past both IP > blacklists and SpamAssassin v2.63 using RulesDuJour. > > I've been reviewing the headers, and in every case Outblaze is using an > (assumed) open mail relay. They're also changing the From name and the > Reply To, so it's hard to nail it down with that. Further, there's no > consistent verbiage in the email that triggering high SA scores. To make > it worse, by the time I get the complaint, most of the blacklists I use > are already blocking the sending server, but of course they move on to > another one and the cycles begins again. > > The only thing consistent I can find is that the originating server, > the one sending to the open mail relay, is always a variation of > Outblaze.com, usually heesun-net.mr.outblaze.com, but the server IP > addresses are all over the place (see enclosed header). Can someone > explain to me how to adjust SA filters to search for that in the header > and give it a high score? > > Thanks, > > Greg Amy > Hartford Hospital > > Received: from gwmail1.harthosp.org > by gwmail.harthosp.org; Mon, 10 May 2004 08:27:22 -0400 > Received: from localhost (localhost [127.0.0.1]) > by gwmail1.harthosp.org (GWMail1) with ESMTP id 5AA8E68BF > for <[EMAIL PROTECTED]>; Mon, 10 May 2004 08:24:48 -0400 > (EDT) > Received: from gwmail1.harthosp.org ([127.0.0.1]) > by localhost (gwmail1 [127.0.0.1]) (amavisd-new, port 10024) with > LMTP > id 15864-01-8 for <[EMAIL PROTECTED]>; > Mon, 10 May 2004 08:24:47 -0400 (EDT) > Received: from h49.192.140.67.ip.alltel.net > (h49.192.140.67.ip.alltel.net [67.140.192.49]) > by gwmail1.harthosp.org (GWMail1) with SMTP id BF16E657E > for <[EMAIL PROTECTED]>; Mon, 10 May 2004 08:23:49 -0400 > (EDT) > Received: from heesun.net (heesun-net.mr.outblaze.com > [205.158.62.177]) > by h49.192.140.67.ip.alltel.net (Postfix) with ESMTP id > 4D841C9A96 > for <[EMAIL PROTECTED]>; Mon, 10 May 2004 08:24:07 -0400 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Exmh CVS iD8DBQFAoSJWQTcbUG5Y7woRAogtAKCZ3urEPH7F9R7d+52eUNdHeNqpwQCfS6ub Xj8/JD6cYRuy9HQxlYXT/c0= =TcZN -----END PGP SIGNATURE-----
