On Sun, Nov 04, 2018 at 11:49:01PM +0100, John Damm S�rensen john@... [milter-greylist] wrote:
> I checked my spam archive and over the last 4 years I have also
> received spam where qq.com was used.
>
> It seems like qq.com was used in From: and Reply-To: header lines, so
> you should be able to block the sender with:
>
> dacl blacklist header /Reply-To:.*qq.com/
> dacl blacklist header /From:.*qq.com/
>
> maybe even
>
> dacl blacklist header /Subject:.*qq.com/
>
> On my mail server the mails were all caught by Spamassassin. I use a
> score of 4.3 to classify spam.
>
> Best
>
> John
Ah. thanks for the hint. I added:
dacl blacklist header /From:.*qq.com/ flushaddr
dacl blacklist header /From.*qq.com/ flushaddr
dacl blacklist header /Return-Path:.*qq.com/ flushaddr
dacl blacklist header /Disposition-Notification-To:.*qq.com/ flushaddr
in hopes that'll block them and flush them out of the database.
In addition to greylisting, I also use a fairly-well trained spambayes,
and since spambayes catches nearly everything, these things bother me
more on the principle of the thing than on the fact that they pollute
my inbox (since they don't). I see 'em when I examine the "trained-spam"
folder, and since I have been getting anywhere from 0 to 3 or 4 a day
for quite some time, when suddenly 10-20 show up I get upset.
thanks again for the hints.
Fred
>
> Den 04-11-2018 kl. 23:20 skrev Fred Smith
> [1]fredex@... [milter-greylist]:
>
>
> I've been using milter-greylist for a couple of years, with a huge
> reduction in spam.
> the past week or so I've had a huge increase, and looking at
> /var/log/maillog I can see that one of the main culprits is being
> auto-whitelisted! Also:
> grep qq.com `locate greylist.db` | sort -k4
> 115.226.150.123 [2]<2282748699@...>
> [3]<fredex@...> 1540995534 # 2018-10-31 10:18:54
> 124.6.159.130 [4]<2846047090@...> [5]<fredex@...>
> 1541107270 # 2018-11-01 17:21:10
> 122.241.3.11 [6]<2282748699@...> [7]<fredex@...>
> 1541164427 # 2018-11-02 09:13:47
> 115.230.76.104 [8]<2282748699@...>
> [9]<fredex@...> 1541236666 # 2018-11-03 05:17:46
> 1.199.184.250 [10]<1973524543@...>
> [11]<fredex@...> 1541243473 # 2018-11-03 07:11:13
> 124.6.159.130 [12]<1982824309@...>
> [13]<fredex@...> 1541259038 # 2018-11-03 11:30:38
> 124.6.159.130 [14]<1972695338@...>
> [15]<fredex@...> 1541266446 # 2018-11-03 13:34:06
> 124.6.159.130 [16]<1963489674@...>
> [17]<fredex@...> 1541295470 # 2018-11-03 21:37:50
> 124.6.159.130 [18]<2263814933@...>
> [19]<fredex@...> 1541302976 # 2018-11-03 23:42:56
> 124.6.159.130 [20]<2276596163@...>
> [21]<fredex@...> 1541376051 AUTO # 2018-11-04
> 19:00:51
> 183.151.39.5 [22]<2263814933@...>
> [23]<fredex@...> 1541402367 AUTO # 2018-11-05
> 02:19:27
> 222.189.144.75 [24]<2282748699@...>
> [25]<fredex@...> 1541448054 AUTO # 2018-11-05
> 15:00:54
> sorted into date/time order.
> qq.com is probably a fake domain, as you can see many different
> addresses
> listed for it. In /var/log/maillog most messages are either rejected
> outright, or are greylisted and never accepted, but as you can see,
> once
> in a while one of them sneaks back in with a valid-apapearing response
> and so gets whitelisted, then a bunch of their messages are accepted.
> I tried to do a blacklist of qq.com, but apparently blacklisting
> requires
> an IP address. Since they appear to be using random/invalid IP
> addresses,
> I'm not sure that just blindly blacklisting every address it appears
> under is either a good idea, or would be adequate to get rid of them.
> I've re-read my way through all the milter-greylist doc I could find,
> and to be frank there is a lot of it I don't understand.
> So, I'm wondering if any of you can offer suggestions on any ways other
> than directly blacklisting qq.com to stomp on this site's spam?
> all advice will be appreciated, thanks in advance!
> Here's my current milter-greylist.conf (with comments stripped):
> socket "/run/milter-greylist/milter-greylist.sock"
> dumpfile "/var/lib/milter-greylist/db/greylist.db" 600
> geoipdb "/usr/share/GeoIP/GeoIP.dat"
> dumpfreq 10m
> user "grmilter"
> greylist 10m
> extendedregex
> timeout 5d
> logexpired
> report all # always add X-greylist mail header
> stat "|logger -p local7.info" \
> "%T{%Y/%m/%d %T} %d [%i] %f -> %r %S (ACL %A) %Xc %Xe %Xm %Xh"
> quiet
> list "my network" addr { 127.0.0.1/8 192.168.2.0/24 }
> list "outlook.com" domain { outlook.com }
> list "mutt.org" domain { mutt.org }
> list "broken mta" addr { \
> 12.5.136.141/32 \ # Southwest Airlines (unique sender)
> 12.5.136.142/32 \ # Southwest Airlines
> 12.5.136.143/32 \ # Southwest Airlines
> 12.5.136.144/32 \ # Southwest Airlines
> 12.107.209.244/32 \ # kernel.org (unique sender)
> 12.107.209.250/32 \ # sourceware.org (unique sender)
> 63.82.37.110/32 \ # SLmail
> 63.169.44.143/32 \ # Southwest Airlines
> 63.169.44.144/32 \ # Southwest Airlines
> 64.7.153.18/32 \ # sentex.ca (common pool)
> 64.12.136.0/24 \ # AOL (common pool)
> 64.12.137.0/24 \ # AOL
> 64.12.138.0/24 \ # AOL
> 64.124.204.39 \ # moveon.org (unique sender)
> 64.125.132.254/32 \ # collab.net (unique sender)
> 64.233.160.0/19 \ # Google
> 66.94.237.16/28 \ # Yahoo Groups servers (common pool)
> 66.94.237.32/28 \ # Yahoo Groups servers (common pool)
> 66.94.237.48/30 \ # Yahoo Groups servers (common pool)
> 66.100.210.82/32 \ # Groupwise?
> 66.135.192.0/19 \ # Ebay
> 66.162.216.166/32 \ # Groupwise?
> 66.206.22.82/32 \ # Plexor
> 66.206.22.83/32 \ # Plexor
> 66.206.22.84/32 \ # Plexor
> 66.206.22.85/32 \ # Plexor
> 66.218.66.0/23 \ # Yahoo Groups servers (common pool)
> 66.218.67.0/23 \ # Yahoo Groups servers (common pool)
> 66.218.68.0/23 \ # Yahoo Groups servers (common pool)
> 66.218.69.0/23 \ # Yahoo Groups servers (common pool)
> 66.27.51.218/32 \ # ljbtc.com (Groupwise)
> 66.102.0.0/20 \ # Google
> 66.249.80.0/20 \ # Google
> 72.14.192.0/18 \ # Google
> 74.125.0.0/16 \ # Google
> 152.163.225.0/24 \ # AOL
> 194.245.101.88/32 \ # Joker.com
> 195.235.39.19/32 \ # Tid InfoMail Exchanger v2.20
> 195.238.2.0/24 \ # skynet.be (wierd retry pattern, common pool)
> 195.238.3.0/24 \ # skynet.be
> 195.46.220.208/32 \ # mgn.net
> 195.46.220.209/32 \ # mgn.net
> 195.46.220.210/32 \ # mgn.net
> 195.46.220.211/32 \ # mgn.net
> 195.46.220.221/32 \ # mgn.net
> 195.46.220.222/32 \ # mgn.net
> 195.238.2.0/24 \ # skynet.be (wierd retry pattern)
> 195.238.3.0/24 \ # skynet.be
> 204.107.120.10/32 \ # Ameritrade (no retry)
> 205.188.0.0/16 \ # AOL
> 205.206.231.0/24 \ # SecurityFocus.com (unique sender)
> 207.115.63.0/24 \ # Prodigy - retries continually
> 207.171.168.0/24 \ # Amazon.com
> 207.171.180.0/24 \ # Amazon.com
> 207.171.187.0/24 \ # Amazon.com
> 207.171.188.0/24 \ # Amazon.com
> 207.171.190.0/24 \ # Amazon.com
> 209.132.176.174/32 \ # sourceware.org mailing lists (unique sender)
> 209.85.128.0/17 \ # Google
> 211.29.132.0/24 \ # optusnet.com.au (wierd retry pattern)
> 213.136.52.31/32 \ # Mysql.com (unique sender)
> 216.33.244.0/24 \ # Ebay
> 216.239.32.0/19 \ # Google
> 217.158.50.178/32 \ # AXKit mailing list (unique sender)
> }
> list "grey users" rcpt { \
> [26]user1@... \
> [27]user2@... \
> [28]user3@... \
> }
> racl "My Network" whitelist list "my network"
> racl "Broken MTA" whitelist list "broken mta"
> racl "outlook.com" whitelist list "outlook.com"
> racl "NoMoRobo" whitelist domain nomorobo.zendesk.com flushaddr
> racl "ZBS Foundation" whitelist domain zbs.org flushaddr
> racl "Linux Counter" whitelist domain linuxcounter.net flushaddr
> racl "Faith Church" whitelist domain faithchurchac.org flushaddr
> racl "spammers-4" blacklist domain qq.com flushaddr
> --
> ---- Fred Smith -- [29]fredex@...
> -----------------------------
> "For him who is able to keep you from falling and to present you before
> his
> glorious presence without fault and with great joy--to the only God our
> Savior
> be glory, majesty, power and authority, through Jesus Christ our Lord,
> before
> all ages, now and forevermore! Amen."
> ----------------------------- Jude 1:24,25 (niv)
> -----------------------------
>
> Virusfri. [30]www.avast.com
>
>
>
> References
>
> Visible links
> 1. mailto:fredex@...
> 2. mailto:2282748699@...
> 3. mailto:fredex@...
> 4. mailto:2846047090@...
> 5. mailto:fredex@...
> 6. mailto:2282748699@...
> 7. mailto:fredex@...
> 8. mailto:2282748699@...
> 9. mailto:fredex@...
> 10. mailto:1973524543@...
> 11. mailto:fredex@...
> 12. mailto:1982824309@...
> 13. mailto:fredex@...
> 14. mailto:1972695338@...
> 15. mailto:fredex@...
> 16. mailto:1963489674@...
> 17. mailto:fredex@...
> 18. mailto:2263814933@...
> 19. mailto:fredex@...
> 20. mailto:2276596163@...
> 21. mailto:fredex@...
> 22. mailto:2263814933@...
> 23. mailto:fredex@...
> 24. mailto:2282748699@...
> 25. mailto:fredex@...
> 26. mailto:user1@...
> 27. mailto:user2@...
> 28. mailto:user3@...
> 29. mailto:fredex@...
> 30. https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient
> 31. https://groups.yahoo.com/neo/groups/milter-greylist/info;_ylc=X3oDMTJmbHByMnI3BF9TAzk3MzU5NzE0BGdycElkAzEyNzYzNTQ2BGdycHNwSWQDMTcwNzI4MTk0MgRzZWMDdnRsBHNsawN2Z2hwBHN0aW1lAzE1NDEzNzE3Njg-
> 32. https://groups.yahoo.com/neo;_ylc=X3oDMTJlajdzODU3BF9TAzk3NDc2NTkwBGdycElkAzEyNzYzNTQ2BGdycHNwSWQDMTcwNzI4MTk0MgRzZWMDZnRyBHNsawNnZnAEc3RpbWUDMTU0MTM3MTc2OA--
> 33. https://info.yahoo.com/privacy/us/yahoo/groups/details.html
> 34. mailto:milter-greylist-unsubscribe@yahoogroups.com?subject=Unsubscribe
> 35. https://info.yahoo.com/legal/us/yahoo/utos/terms/
>
> Hidden links:
> 37. https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient
> 38. file://localhost/var/tmp/mutt.html#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2
--
---- Fred Smith -- fredex@... -----------------------------
"Not everyone who says to me, 'Lord, Lord,' will enter the kingdom of
heaven, but only he who does the will of my Father who is in heaven."
------------------------------ Matthew 7:21 (niv) -----------------------------Message
Re: [milter-greylist] Blacklisting a spammer?
2018-11-05 by Fred Smith