Re: [Exim] SPAM problems : reject by X-Mailer?

Top Page
Delete this message
Reply to this message
Author: Glenn Carver
Date:  
To: Alan J. Flavell, Exim users list
Subject: Re: [Exim] SPAM problems : reject by X-Mailer?
I've also been getting a lot of spam mail like this, which gets past
spamassassin.

I've since starting using DCC (http://www.dcc-servers.net/dcc/) as a
second pass after spamassassin and it's been successful at getting
rid of these spam messages. Not a particularly lightweight piece of
software but with DNSBL, spamasssassin and DCC, our spam intake is
now virtually zero.

I would caution against blocking on a Mailer.

   Cheers,
             Glenn




At 12:46 pm +0000 12/1/04, Alan J. Flavell wrote:
>On Mon, 12 Jan 2004, Rory Campbell-Lange wrote:
>
>> I have seen a large increase in emails with subjects like "annoy idea
>> handsome" and bodies such as "peace euphorbia lillian scout b centerline
>> cleat scapular citron pacify centigrade icicle eh imperate cupid
>> fireplace gentlemen cocaine". Presumably the sender is trying to
>> generate a response?
>
>At the core of these messages is a spam link:
>
> <a href="..."><img border="0" src="..."></a>
>
>Presumably the sender is trying to obfuscate the message sufficiently
>to get past content-recognition filters.
>
>>  Many of these spam senders have the following X-Mailer listed:
>>      X-Mailer: mPOP Web-Mail 2.19

>
>So they do: if I try that on the contents of my spam-bucket, I get
>quite a number of matches since mid-December, although I also got
>several which didn't have that particular X-Mailer.
>
>I don't see any matches for that X-Mailer in my own personal good
>mail, though I can't speak for all of our users...
>
>However, all of the samples that I've got in my spam-bucket have been
>forwarded from my account at another site, which suggests that if any
>of them are being offered to us directly then we're rejecting them on
>other grounds (probably DNSRBLed MTA IPs). Some of them can also be
>rejected by callbacks on their faked envelope sender addresses (pace
>the usual critics of that procedure).
>
>Looking at the matches that I got, I'd say about half of them have so
>low a spamassassin score (<4) that no reasonable amount of boost on
>the X-Mailer alone would take them up to our rejection level (>8).
>The other half had scored around 7, and an extra point or so for the
>X-Mailer would have taken them over the limit.
>
>> Is this possible to generate an SMTP-time rejection of a message based
>> on its X-Mailer? Is this sensible?
>
>It might be worth some points in the spam-rating, but it would be
>premature to use it as a basis for outright rejection, I feel. Based
>on the arguments I present above, I'd say there are more effective
>ways of keeping these at bay (but those ways are weakened when the
>mail has been accepted by some forwarding MTA).
>
>cheers