MANY, BUT MANY SPAM IN THIS WEEKEND

This is the area for a general support questions, discussions and information that you can read and share. Post your experiences, stats and tricks and tips that are not covered elsewhere. Remember, for questions please search the FAQ first, as your question may already be answered.

Moderators: wizard, magicspam

Post Reply
m0rpheu5
Posts: 22
Joined: Mon Mar 29, 2010 7:14 am

MANY, BUT MANY SPAM IN THIS WEEKEND

Post by m0rpheu5 » Tue Nov 16, 2010 6:45 am

Hello guys, please verify, i don´t know what is happeing, normally i received 5-10 SPAM per weekend, but today, i received more then 200. Follow some headers bellow, i´m using ALL the listname enabled, and in the Best Practices Rules, only the "Confirm Server Identification Resolves (HELO)" is disabled, the rest is enabled. What i have to do to stop received this messages. The first one, i received with VIRUS too.

Return-Path: <luis.carlos@mkfinanceira.com>
X-Original-To: suporte@oxynet.com.br
Delivered-To: suporte@oxynet.com.br
Received: from br02.oxynet.com.br (unknown [127.0.0.1])
by br02.oxynet.com.br (Postfix) with ESMTP id B85B231E88C3
for <suporte@oxynet.com.br>; Tue, 16 Nov 2010 13:33:24 +0000 (UTC)
Received: from mail.mkfinanceira.com (unknown [173.192.104.120])
by br02.oxynet.com.br (Postfix) with ESMTP
for <suporte@oxynet.com.br>; Tue, 16 Nov 2010 13:33:24 +0000 (UTC)
Received: by mail.mkfinanceira.com (Postfix, from userid 0)
id BE5937A9521; Tue, 16 Nov 2010 07:31:01 -0600 (CST)
content-type: text/html; charset=iso-8859-1
Subject: Comprovante de Depósito.
From: luis.carlos@mkfinanceira.com
To: suporte@oxynet.com.br
Message-Id: <20101116133310.BE5937A9521@mail.mkfinanceira.com>
Date: Tue, 16 Nov 2010 07:31:01 -0600 (CST)


Other Header:
Return-Path: <untruerxw918@maxplan2020.com>
X-Original-To: mailer-daemon@itaf.com.br
Delivered-To: noc@oxynet.com.br
Received: by br02.oxynet.com.br (Postfix)
id 2912431E831A; Tue, 16 Nov 2010 11:15:34 -0200 (BRST)
Delivered-To: root@localhost.localdomain
Received: by br02.oxynet.com.br (Postfix)
id 2785C31E8318; Tue, 16 Nov 2010 11:15:34 -0200 (BRST)
Delivered-To: postmaster@localhost.localdomain
Received: by br02.oxynet.com.br (Postfix)
id 25A2131E831A; Tue, 16 Nov 2010 11:15:34 -0200 (BRST)
Delivered-To: mailer-daemon@localhost.localdomain
Received: from br02.oxynet.com.br (unknown [127.0.0.1])
by br02.oxynet.com.br (Postfix) with ESMTP id 4479C31E8318
for <mailer-daemon@itaf.com.br>; Tue, 16 Nov 2010 13:15:33 +0000 (UTC)
Received: from PXVNJAT (unknown [119.157.96.33])
by br02.oxynet.com.br (Postfix) with ESMTP
for <mailer-daemon@itaf.com.br>; Tue, 16 Nov 2010 13:15:33 +0000 (UTC)
Received: from 119.157.96.33 by smtp.secureserver.net; Tue, 16 Nov 2010 05:15:26 -0800
Message-ID: <000d01cb8590$553eb970$6400a8c0@untruerxw918>
From: "Wide range of watches." <untruerxw918@maxplan2020.com>
To: <mailer-daemon@itaf.com.br>
Subject: Own a Ferrari pen today and you will see how your status grows. Accessories of world known designers is what you need now.
Date: Tue, 16 Nov 2010 05:15:26 -0800
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0007_01CB8590.553EB970"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2180
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180

Other Header:
Return-Path: <amasoft@equipmentpause.com>
X-Original-To: noc@oxynet.com.br
Delivered-To: noc@oxynet.com.br
Received: from br02.oxynet.com.br (unknown [127.0.0.1])
by br02.oxynet.com.br (Postfix) with ESMTP id 58C8431E8934
for <noc@oxynet.com.br>; Tue, 16 Nov 2010 11:08:37 +0000 (UTC)
Received: from 63-162-48-199.static.reverse.nodesdirect.com (unknown [199.48.162.63])
by br02.oxynet.com.br (Postfix) with ESMTP
for <noc@oxynet.com.br>; Tue, 16 Nov 2010 11:08:37 +0000 (UTC)
Date: Tue, 16 Nov 2010 11:08:12 +0000
From: =?UTF-8?Q?Acrobat=20Clearance?= <amasoft@equipmentpause.com>
To: =?UTF-8?Q?Software=20User?= <noc@oxynet.com.br>
Subject: =?UTF-8?Q?The=20Just=20Released=20Software,=20CS5=20Suite=20and?=
=?UTF-8?Q?=20more=20at=20Acrobat=20Clearance?=
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="---=_NextPart_00A4_OF0P_EY"
Message-Id: <20101116110837.58C8431E8934@br02.oxynet.com.br>

Other Header:
Return-Path: <shiftlessnessbt796@mikebennett.com>
X-Original-To: postmaster@clubseg.com
Delivered-To: noc@oxynet.com.br
Received: by br02.oxynet.com.br (Postfix)
id 5BF0E31E8A48; Tue, 16 Nov 2010 09:04:06 -0200 (BRST)
Delivered-To: root@localhost.localdomain
Received: by br02.oxynet.com.br (Postfix)
id 58E3331E8A49; Tue, 16 Nov 2010 09:04:06 -0200 (BRST)
Delivered-To: postmaster@localhost.localdomain
Received: from br02.oxynet.com.br (unknown [127.0.0.1])
by br02.oxynet.com.br (Postfix) with ESMTP id 7622A31E8A48
for <postmaster@clubseg.com>; Tue, 16 Nov 2010 11:04:05 +0000 (UTC)
Received: from FZXNSJPWDO (unknown [58.20.40.166])
by br02.oxynet.com.br (Postfix) with ESMTP
for <postmaster@clubseg.com>; Tue, 16 Nov 2010 11:04:05 +0000 (UTC)
Received: from [58.20.40.166] (port=9589 helo=PC201010261355)
by mx2.daemonmail.net with asmtp
id 0F4F51-000991-02
for <postmaster@clubseg.com>; Tue, 16 Nov 2010 19:04:02 +0800
Message-ID: <DA1A26FB5264478C86A33BD76118A35A@PC201010261355>
From: "Emory Murray" <shiftlessnessbt796@mikebennett.com>
To: <postmaster@clubseg.com>
Subject: Have a role of real macho now. Make passing by ladies notice you.
Date: Tue, 16 Nov 2010 19:04:02 +0800
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0005_01CB857D.FA0B6C90"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Windows Mail 6.0.6001.18000
X-MimeOLE: Produced By Microsoft MimeOLE V6.0.6001.18049
X-Spam: Not detected
X-Mras: Ok

Other Header:
Return-Path: <no-reply@rolex.com>
X-Original-To: noc@oxynet.com.br
Delivered-To: noc@oxynet.com.br
Received: from br02.oxynet.com.br (unknown [127.0.0.1])
by br02.oxynet.com.br (Postfix) with ESMTP id E7DCF31E8A5D
for <noc@oxynet.com.br>; Mon, 15 Nov 2010 11:37:20 +0000 (UTC)
Received: from ppp-2-85-15-97.home.otenet.gr (unknown [2.85.15.97])
by br02.oxynet.com.br (Postfix) with SMTP
for <noc@oxynet.com.br>; Mon, 15 Nov 2010 11:37:20 +0000 (UTC)
From: Rolex.com <no-reply@rolex.com>
To: noc@oxynet.com.br
Subject: noc@oxynet.com.br Rolex For You 07% 0FF!
Mime-Version: 1.0
Content-type: text/html; charset="utf-8"
Content-Transfer-Encoding: 7bit
Message-Id: <20101115113720.E7DCF31E8A5D@br02.oxynet.com.br>
Date: Mon, 15 Nov 2010 09:37:20 -0200 (BRST)

Other Header:
Return-Path: <no-reply@rolex.com>
X-Original-To: noc@oxynet.com.br
Delivered-To: noc@oxynet.com.br
Received: from br02.oxynet.com.br (unknown [127.0.0.1])
by br02.oxynet.com.br (Postfix) with ESMTP id 3105231E8A3E
for <noc@oxynet.com.br>; Mon, 15 Nov 2010 10:46:37 +0000 (UTC)
Received: from HP-PC (unknown [175.136.208.83])
by br02.oxynet.com.br (Postfix) with SMTP
for <noc@oxynet.com.br>; Mon, 15 Nov 2010 10:46:36 +0000 (UTC)
From: Rolex.com <no-reply@rolex.com>
To: noc@oxynet.com.br
Subject: noc@oxynet.com.br Rolex For You 91% 0FF!
Mime-Version: 1.0
Content-type: text/html; charset="utf-8"
Content-Transfer-Encoding: 7bit
Message-Id: <20101115104637.3105231E8A3E@br02.oxynet.com.br>
Date: Mon, 15 Nov 2010 08:46:37 -0200 (BRST)


This last two emails, i received more then 50 emails equal this one, but the IP´s is always different, i think that won´t work only add this ip´s in black list, need to set a way to block that messages.

magicspam
Posts: 1553
Joined: Tue Oct 28, 2008 2:27 pm

Re: MANY, BUT MANY SPAM IN THIS WEEKEND

Post by magicspam » Tue Nov 16, 2010 10:33 am

Greetings m0rpheu5 and thanks for your post.

Out of the gate, we do need to point out that MagicSpam is not anti-virus software.

Looking at the second message in your list with the Received: header from unknown 119.157.96.33: This appears to be a classic case of a viral payload home PC: you will note that the IP has no PTR record associated with it at all as well as it is using a single name HELO commonly seen with home PC's. Have you tracked down the associated MagicSpam log entry for this message at all? Is it possible there was an exemption record in place for the recipient? One thing you can do to track this down quickly would be to run the command:

grep 119.157.96.33 /var/log/magicspam/*

The 3rd message in your list (199.48.162.63) should have triggered the check_dynamic_reverse_dns rule. Again, if you could provide the log entry from MagicSpam for that message it should help to track down the issue.

4th message in your list also has no PTR record and as such should have triggered check_ip_reverse_dns rule.

5th message in your list should have triggered check_dynamic_reverse_dns.

6th message should have triggered check_ip_reverse_dns (no PTR record).

If you could please provide the MagicSpam log entries for those messages this should help to determine the answer to 'why' they weren't caught.

Thanks!

m0rpheu5
Posts: 22
Joined: Mon Mar 29, 2010 7:14 am

Re: MANY, BUT MANY SPAM IN THIS WEEKEND

Post by m0rpheu5 » Fri Nov 26, 2010 5:27 am

Guys, i continue receiving many, but many spam, follow above some headers.

Return-Path: <inhumanlyg35@leasdollpatterns.com>
X-Original-To: anonymous@oxynet.com.br
Delivered-To: noc@oxynet.com.br
Received: by br02.oxynet.com.br (Postfix)
id B4E2531E8327; Fri, 26 Nov 2010 10:01:03 -0200 (BRST)
Delivered-To: anonymous@localhost.localdomain
Received: from br02.oxynet.com.br (unknown [127.0.0.1])
by br02.oxynet.com.br (Postfix) with ESMTP id 878B831E831D
for <anonymous@oxynet.com.br>; Fri, 26 Nov 2010 12:01:02 +0000 (UTC)
Received: from NQSBYXQTK (unknown [125.167.49.57])
by br02.oxynet.com.br (Postfix) with ESMTP
for <anonymous@oxynet.com.br>; Fri, 26 Nov 2010 12:01:02 +0000 (UTC)
Received: from [125.167.49.57] (port=1856 helo=PC6)
by with asmtp
id 9A0D99-000838-30
for <anonymous@oxynet.com.br>; Fri, 26 Nov 2010 04:00:59 -0800
Message-ID: <726AC126DF90431797E07A641E00D0C5@PC6>
From: "Janet Daugherty" <inhumanlyg35@leasdollpatterns.com>
To: <anonymous@oxynet.com.br>
Subject: Have a longer item than you dreamed. obtain long item with our method.
Date: Fri, 26 Nov 2010 04:00:59 -0800
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0005_01CB8D61.96B79970"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Windows Mail 6.0.6001.18000
X-MimeOLE: Produced By Microsoft MimeOLE V6.0.6001.18049
X-Spam: Not detected
X-Mras: Ok

Other one:
Return-Path: <kneadw1@adoptsmalldogs.com>
X-Original-To: postmaster@clubseg.com
Delivered-To: noc@oxynet.com.br
Received: by br02.oxynet.com.br (Postfix)
id 06C8E31E8336; Fri, 26 Nov 2010 10:15:33 -0200 (BRST)
Delivered-To: root@localhost.localdomain
Received: by br02.oxynet.com.br (Postfix)
id 04C2F31E82ED; Fri, 26 Nov 2010 10:15:33 -0200 (BRST)
Delivered-To: postmaster@localhost.localdomain
Received: from br02.oxynet.com.br (unknown [127.0.0.1])
by br02.oxynet.com.br (Postfix) with ESMTP id A598C31E8336
for <postmaster@clubseg.com>; Fri, 26 Nov 2010 12:15:31 +0000 (UTC)
Received: from static.vdc.vn (unknown [113.160.224.131])
by br02.oxynet.com.br (Postfix) with ESMTP
for <postmaster@clubseg.com>; Fri, 26 Nov 2010 12:15:31 +0000 (UTC)
Received: from [113.160.224.131] (port=6094 helo=PM0128)
by nullmx.adoptsmalldogs.com with asmtp
id 76999B-0004C1-70
for <postmaster@clubseg.com>; Fri, 26 Nov 2010 19:15:24 +0700
Message-ID: <DA82CA9A6B714DFDA797A101A344AA33@PM0128>
From: "Myles Olsen" <kneadw1@adoptsmalldogs.com>
To: <postmaster@clubseg.com>
Subject: =?koi8-r?B?WW91IGRvbpJ0IGhhdmUgdG8gZ3JhZHVhdGUgZnJvbSB1bml2ZXJzaXR5?=
=?koi8-r?B?IHRvIGhhdmUgYSBkaXBsb21hLCBvcmRlciBpdC4=?=
Date: Fri, 26 Nov 2010 19:15:24 +0700
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0005_01CB8D63.9A9F9720"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Windows Mail 6.0.6001.18000
X-MimeOLE: Produced By Microsoft MimeOLE V6.0.6001.18049
X-Spam: Not detected
X-Mras: Ok

Other one:
Return-Path: <0-0001i8-00@bbdo.at>
X-Original-To: anonymous@oxynet.com.br
Delivered-To: noc@oxynet.com.br
Received: by br02.oxynet.com.br (Postfix)
id 3098D31E830C; Thu, 25 Nov 2010 13:03:04 -0200 (BRST)
Delivered-To: anonymous@localhost.localdomain
Received: from br02.oxynet.com.br (unknown [127.0.0.1])
by br02.oxynet.com.br (Postfix) with ESMTP id A178B31E82CD
for <anonymous@oxynet.com.br>; Thu, 25 Nov 2010 15:03:03 +0000 (UTC)
Received: from 220-139-205-233.dynamic.hinet.net (unknown [220.139.205.233])
by br02.oxynet.com.br (Postfix) with ESMTP
for <anonymous@oxynet.com.br>; Thu, 25 Nov 2010 15:03:03 +0000 (UTC)
Received: from [43.131.77.112] (account 0-2kokbas@asg.com.tr HELO zyolzf.ecurvgwu.biz)
by 220-139-205-233.dynamic.hinet.net (CommuniGate Pro SMTP 5.2.3)
with ESMTPA id 041606130 for anonymous@oxynet.com.br; Thu, 25 Nov 2010 23:03:02 +0800
From: 0-2kokbas@asg.com.tr
To: <anonymous@oxynet.com.br>
Subject: anonymous
Date: Thu, 25 Nov 2010 23:03:02 +0800
MIME-Version: 1.0
Content-Type: text/plain;
charset="Windows-1252"
Content-Transfer-Encoding: 7bit
X-Mailer: xvryavc_99
Message-ID: <5573598798.7230DA7X224433@wciwyhukx.uyplhkxbqpk.net>

and more one:
Return-Path: <EnlargePenis.Hi2@yahoo.com>
X-Original-To: guilherme@oxynet.com.br
Delivered-To: guilherme@oxynet.com.br
Received: from br02.oxynet.com.br (unknown [127.0.0.1])
by br02.oxynet.com.br (Postfix) with ESMTP id 564FA31E83E7
for <guilherme@oxynet.com.br>; Wed, 24 Nov 2010 17:44:14 +0000 (UTC)
Received: from home-856994cfbc (unknown [89.252.120.33])
by br02.oxynet.com.br (Postfix) with ESMTP
for <guilherme@oxynet.com.br>; Wed, 24 Nov 2010 17:44:13 +0000 (UTC)
Received: from home-856994cfbc (localhost [127.0.0.1])
by home-856994cfbc (8.13.4/8.13.7) with SMTP id h4SXFH1Fz446
for <guilherme@oxynet.com.br>; Wed, 24 Nov 2010 20:45:11 +0300
(envelope-from EnlargePenis.Hi2@yahoo.com)
Message-Id: <201011241745.YEVCJ90477UYBYF179675@home-856994cfbc>
To: guilherme@oxynet.com.br
Date: Wed, 24 Nov 2010 20:45:11 +0300
Subject: It's just cool!
From: <EnlargePenis.Hi2@yahoo.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=windows-1251
Content-Transfer-Encoding: 8bit
X-Antivirus: avast! (VPS 100211-0, 11.02.2010), Outbound message
X-Antivirus-Status: Clean


This EnlargePenis.Hi2 i´m received almost 20 emails.

Thanks

magicspam
Posts: 1553
Joined: Tue Oct 28, 2008 2:27 pm

Re: MANY, BUT MANY SPAM IN THIS WEEKEND

Post by magicspam » Fri Nov 26, 2010 3:53 pm

Hello,

We have checked these additional emails and each of them should have triggered one of the rules which are enabled by default. Could you please send us which rules you currently have enabled?

Thanks!

Post Reply

Return to “General Discussions and Support Questions”

Who is online

Users browsing this forum: No registered users and 20 guests