Re: [Exim] SPAM problems : reject by X-Mailer?

Top Page
Delete this message
Reply to this message
Author: Jethro R Binks
Date:  
To: exim-users
Subject: Re: [Exim] SPAM problems : reject by X-Mailer?
On Tue, 13 Jan 2004, Kevin Reed wrote:

> warn log_message = MPOPWEBMAIL $sender_host_address
>      message = MPOP Webmail Spam Header Detected.\n \
>        If you have questions please contact postmaster@$qualify_domain
>   condition = ${if match {$header_x-mailer:}{mPOP Web-Mail 2.19}{yes}{no}}
>   condition = ${if match {$header_x-originating-ip:}{IP\]}{yes}{no}}

>
> I've been tracking this for several days now and after 4 days, have seen
> no false positives with this but a ton of catches...
>
> Each of the spams that had the mPOP Web-Mail 2.19 in the X-Mailer header,
> also has an X-Originating-IP: [{something}IP] in them too. Note the IP at
> the end is the letters IP.


I have an example of one that doesn't have that pattern in the
X-Originating-IP: header, but nevertheless, I think this is a good call,
and am using it as the basis of an SA rule.

Received: from dhcp024-160-219-069.ma.rr.com ([24.160.219.69]:4032)
        by kojak.cc.strath.ac.uk with smtp (Exim 4.22 #2)
        id 1AgN8Z-000FpA-7S
        for <postmaster@???>; Tue, 13 Jan 2004 11:55:11 +0000
Received: from [24.160.219.69] by 248.24.226.220 with HTTP;
        Mon, 12 Jan 2004 21:50:33 -0200
From: "Peters Hazel" <yolmxigdsdabgv@??? >
To: postmaster@???
Subject: Re: QA, stirring her heart
Mime-Version: 1.0
X-Mailer: mPOP Web-Mail 2.19
X-Originating-IP: [169.248.197.108]
Date: Tue, 13 Jan 2004 00:55:33 +0100
Reply-To: "Hazel Peters" <yolmxigdsdabgv@??? >
[...]


Jethro.


>
> You could turn this into a deny or make a special header to trap on or
> make an SA rule out of it instead.
>
> I've had a ton of this pointed at the postmaster account ... but it no
> longer gets there ...
>
> I'm using a deny on my own servers and a SA rule catch on my large work
> servers.
>
> Happy hunting...
>
> --
> Kevin W. Reed - TNET Services, Inc.
> Unoffical Exim MTA Info Forums - http://exim.got-there.com/forums
>
> --
>
> ## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at http://www.exim.org/ ##
>
>



. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Jethro R Binks
Computing Officer, IT Services
University Of Strathclyde, Glasgow, UK