[postfix-users] massiver spam Anstieg

Christian Boltz postfix-users at cboltz.de
Fr Mai 22 00:06:10 CEST 2009 

Hallo Patrick, hallo Leute,

Am Donnerstag, 21. Mai 2009 schrieb Patrick Ben Koetter:
> * Christian Boltz <postfix-users at de.postfix.org>:
> > # die folgende body-Regel (für Bounces) funktioniert leider nicht - warum?
> > body      CB_BODY_COMES_WITH_SPAMSCORE  /X-VA-Spam-Flag:[   ]*YES/i
> > describe  CB_BODY_COMES_WITH_SPAMSCORE  Contains X-VA-Spam-Flag: YES in body (bounce?)
> > score     CB_BODY_COMES_WITH_SPAMSCORE  0.001

> > Hat jemand eine Idee, warum meine body-Regel nicht greift? (Nein,
> > es liegt nicht an der geringen Punktzahl - die Regel trifft
> > wirklich nicht.)
>
> Du meinst die CB_BODY_COMES_WITH_SPAMSCORE-Regel? Weil
> "X-VA-Spam-Flag:" ein Header- und kein Body-Element ist?

Es geht mir in diesem Fall speziell um _Bounces_. Und da steht 
X-VA-Spam-Flag dann wirklich im Body.

Der komplette Bounce sieht dann folgendermaßen aus: (meine Mailadressen
sind maskiert)

----------------------------------------------------------------------

Return-Path: <MAILER-DAEMON>
Delivered-To: main at cboltz.de
Received: from localhost (localhost [127.0.0.1])
	by server.sprachakt.com (Postfix) with ESMTP id B55D8388229
	for <... at cboltz.de>; Tue, 19 May 2009 02:48:11 +0200 (CEST)
X-Virus-Scanned: amavisd-new at sprachakt.com
X-Spam-Flag: NO
X-Spam-Score: 4.291
X-Spam-Level: ****
X-Spam-Status: No, score=4.291 tagged_above=-999 required=7
	tests=[ALL_TRUSTED=-1.8, AWL=1.228, BAYES_50=0.001,
	CB_TO_CBOLTZ_SOURCEFORGE=0.001, URIBL_AB_SURBL=1.86,
	URIBL_JP_SURBL=1.501, URIBL_WS_SURBL=1.5]
Received: from mail.cboltz.de ([127.0.0.1])
	by localhost (mail.sprachakt.com [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id sb3BpfM9EPjx for <... at cboltz.de>;
	Tue, 19 May 2009 02:48:05 +0200 (CEST)
X-Greylist: from auto-whitelisted by SQLgrey-1.6.8
Received: from mx.sourceforge.net (mx.sourceforge.net [216.34.181.68])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(Client did not present a certificate)
	by mail.cboltz.de (Postfix) with ESMTPS
	for <... at cboltz.de>; Tue, 19 May 2009 02:48:05 +0200 (CEST)
Received: from exim by 3b2kzd1.ch3.sourceforge.com with local 
	(Exim 4.69)
	id 1M6DUy-0006Mx-Ot
	for USERNAME at users.sourceforge.net; Tue, 19 May 2009 00:48:04 +0000
X-Failed-Recipients: ... at cboltz.de
Auto-Submitted: auto-replied
From: Mail Delivery System <Mailer-Daemon at sourceforge.net>
To: USERNAME at users.sourceforge.net
Subject: Mail delivery failed: returning message to sender
Message-Id: <E1M6DUy-0006Mx-Ot at 3b2kzd1.ch3.sourceforge.com>
Date: Tue, 19 May 2009 00:48:04 +0000
Status: R
X-Status: NPC
X-KMail-EncryptionState:  
X-KMail-SignatureState:  
X-KMail-MDN-Sent:  

This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

  ... at cboltz.de
    (generated from USERNAME at users.sourceforge.net)
    SMTP error from remote mail server after end of data:
    host mailtest.cboltz.de [78.46.208.169]: 554 5.7.0 Reject, id=06334-06 - SPAM

------ This is a copy of the message, including all the headers. ------

Return-path: <USERNAME at users.sourceforge.net>
X-ACL-Warn: 
Received: from [190.148.90.116]
	by 3b2kzd1.ch3.sourceforge.com with esmtp 
	(Exim 4.69)
	id 1M6DUK-0005me-Vm
	for USERNAME at users.sourceforge.net; Tue, 19 May 2009 00:47:58 +0000
Message-Id: <200905197492.3B24D4A59DE98A@[190.148.90.116]>
From: "Sentz Seymour" <USERNAME at users.sourceforge.net>
To: USERNAME at users.sourceforge.net
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: 7bit
MIME-Version: 1.0
X-Spam-Score: 17.9 (+++++++++++++++++)
X-Spam-Report: Spam Filtering performed by mx.sourceforge.net.
	See http://spamassassin.org/tag/ for more details.
	2.0 URIBL_BLACK            Contains an URL listed in the URIBL blacklist
	[URIs: prolivate.ru]
	0.0 MISSING_DATE           Missing Date: header
	0.0 HTML_IMAGE_RATIO_08    BODY: HTML has a low ratio of text to image area
	0.0 HTML_MESSAGE           BODY: HTML included in message
	1.7 MIME_HTML_ONLY         BODY: Message only has text/html MIME parts
	1.5 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence level
	above 50%
	[cf: 100]
	1.5 RAZOR2_CF_RANGE_E4_51_100 Razor2 gives engine 4 confidence level
	above 50%
	[cf: 100]
	2.0 RAZOR2_CHECK           Listed in Razor2 (http://razor.sf.net/)
	0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%
	[cf: 100]
	0.5 RCVD_IN_PBL            RBL: Received via a relay in Spamhaus PBL
	[190.148.90.116 listed in zen.spamhaus.org]
	2.9 RCVD_IN_XBL            RBL: Received via a relay in Spamhaus XBL
	2.0 URIBL_AB_SURBL         Contains an URL listed in the AB SURBL blocklist
	[URIs: prolivate.ru]
	0.5 URIBL_WS_SURBL         Contains an URL listed in the WS SURBL blocklist
	[URIs: prolivate.ru]
	2.9 URIBL_JP_SURBL         Contains an URL listed in the JP SURBL blocklist
	[URIs: prolivate.ru]
X-VA-Spam-Flag: YES
X-Spam-Flag: YES
X-Headers-End: 1M6DUK-0005me-Vm
Subject: [SPAM] Scientists' mass-suicide

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
[...]

----------------------------------------------------------------------

Falls jemand einen Vorschlag für eine funktionierende SA-Regel hat -
immer her damit ;-)


Gruß

Christian Boltz
-- 
[ Yes ] [ No ]
... used for harmless errors or simple questions: "It's high time you
had your cup of coffee! Would you like your KDE to prepare one for you?"
[Lukas Ocilka in opensuse-factory - YaST2 button styleguide]

Mehr Informationen über die Mailingliste postfix-users