SPAM filtering

New ideas and constructive comments go here.

Moderator: Moderators

Post Reply
kesor
Posts: 3
Joined: Fri Apr 01, 2005 11:55 am
Location: Israel
Contact:

SPAM filtering

Post by kesor »

On my server there is an active spam filter (amavisd-new + spamassasin + clamav etc.. and postfix)

For some time now (that is only last several weeks) - I have been recieving virus mail that was delivered to the secondary MX (rollernetwork).

After all it looks like this :
BANNED CONTENTS ALERT

Our content checker found
banned name: P=p003,L=1,M=multipart/mixed | P=p002,L=1/2,M=application/octet-stream,T=zip,N=information.zip | P=p004,L=1/2/1,T=exe,T=exe-ms,N=information.txt ... .exe | P=p005,L=1/2/1/1,T=empty,N=1979
in email presumably from you (<webmaster@kesor.net>),
to the following recipient:
-> mike@kesor.net
bla bla bla ......
For your reference, here are headers from your email:
------------------------- BEGIN HEADERS -----------------------------
Return-Path: <webmaster@kesor.net>
Received: from mail2.rollernet.us (mail2.rollernet.us [66.224.163.2])
by monster.kesor.net (Postfix) with ESMTP id 61F1C27
for <mike@kesor.net>; Fri, 10 Jun 2005 21:31:32 +0300 (IDT)
X-RollerNet-Abuse: Roller Network SMTP Services. Please read http://rollernet.us/abuse.php
Received: from kesor.net (bzq-82-80-218-220.red.bezeqint.net [82.80.218.220])
by mail2.rollernet.us (Postfix) with ESMTP id C2FEC621369
for <mike@kesor.net>; Fri, 10 Jun 2005 11:31:19 -0700 (PDT)
From: webmaster@kesor.net
To: mike@kesor.net
Subject: WEL
Date: Fri, 10 Jun 2005 20:31:28 +0200
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0002_B1687C6F.86E5A1A3"
X-Priority: 3
X-MSMail-Priority: Normal
Message-Id: <20050610183119.C2FEC621369@mail2.rollernet.us>
-------------------------- END HEADERS ------------------------------
What I see on these headers, is that some virus host is identifying as my server, and thus rollernetwork allows him to send mail to users on my network (even though no such user exists, but thats another issue).

Anyways - my suggestion -- notice the host in bold, its not my server. What reason is there for mail from any internet host that sais 'kesor.net' but is not mine to be trusted? mostly virii do this.
RollerNetSupport
Site Admin
Posts: 598
Joined: Wed Nov 17, 2004 10:05 pm
Location: Nevada
Contact:

Post by RollerNetSupport »

You should be able to use the SPF filter to stop other mail servers from sending mail through us pretending to be your email address. The rollernet.us domain has SPF enabled; you can try sending a message to support@rollernet.us using a from address like webmaster@rollernet.us and it should be rejected.
Technical Support support@rollernet.us
Roller Network LLC
kesor
Posts: 3
Joined: Fri Apr 01, 2005 11:55 am
Location: Israel
Contact:

Post by kesor »

Does SPF also checks HELO ?

If some other hosts is using "HELO mail.kesor.net", and its not my server's IP -- will that be rejected as well?
RollerNetSupport
Site Admin
Posts: 598
Joined: Wed Nov 17, 2004 10:05 pm
Location: Nevada
Contact:

Post by RollerNetSupport »

SPF doesn't normally use the HELO response unless the sender is null (i.e. bounce messages). The HELO checks in first-generation SPF are rather broken, actually, but I suspect someone will improve upon this in the next generation.

There is a new filter option designed to reject a "same domain name" HELO/EHLO, but it is still being tested. You can preview the interface in the account manager at https://acc.rollernet.us/mail/handling.php
Technical Support support@rollernet.us
Roller Network LLC
Post Reply