[Mimedefang] Fw: [Sare-users] Spam with numbers in subj and b ody
Damrose, Mark
mdamrose at elgin.edu
Wed Jun 7 11:29:57 EDT 2006
> -----Original Message-----
> From: Paul Whittney
> After reading some of the items here, I thought to take a
> look at my logs, and see if there is a pattern of spam/ham to
> the $MessageID.
>
> First problem I had was that I hadn't got the filter logging
> the info, so I've started syslogging
> filter_(subroutine),$QueueID,$MessageId,.....
sendmail logs this, so you don't need to have a separate log in MD.
k57FI4Sh026183: from=<user at example.com>, size=2974, class=0, nrcpts=1,
msgid=<06345F16BD04984 at mx.example.com>, proto=ESMTP, daemon=MTA,
relay=mx.example.com [192.0.2.15]
> Found, for example:
> k57Cmi17006408,spam, 7.398, <000001c68a34$99299710$a442a8c0 at bxb41>
> k57D7ZbK006518,spam, 7.398, <000001c68a37$43c1da50$9a70a8c0 at tul44>
> k57DNX0K006687,spam,15.212, <000001c68a39$7ef963c0$7ec5a8c0 at bss34>
> k57DP8Vs006708,spam, 8.249, <000001c68a39$ab508e30$53b8a8c0 at gdt80>
> k57DYuvp006769,spam,26.097, <001801c68a3b$2a7fe880$bc11a8c0 at qege>
> k57CqfVK006437,spam,28.497,
> <005801c68a35$0fd2a280$631f000a at 59.95.128.199>
>
> Following this, I was thinking that having sort sort of
> signature, or fingerprint for an email (like nmap's
> fingerprints of OS's), but then I suppose this is what Razor
> (etc...) do?
This particular fingerprint would be from a little used program called MS
Outlook Express. Block this, and your volume of mail will go WAY down.
More information about the MIMEDefang
mailing list