Wizard IT Products

Hello,

Our client are complaining that they are receiving in huge volumes of SPAM mails everyday, below are the some headers.

1.
Received: (qmail 19383 invoked from network); 4 Feb 2010 16:42:08 +0530
Received-SPF: pass (plesk01.diadem-tech.com: domain of t-com.hr designates 93.142.175.186 as permitted sender) client-ip=93.142.175.186; envelope-from=geisisytoj4461@t-com.hr; helo=t-com.hr;
Received: from 93-142-175-186.adsl.net.t-com.hr (HELO t-com.hr) (93.142.175.186)
by mailer01.diadem-tech.com with (RC4-MD5 encrypted) SMTP; 4 Feb 2010 16:42:08 +0530
From: "VIAGRA (c) Trusted Dealer" <geisisytoj4461@t-com.hr>
To: kaushikm@adept-software.com
Subject: User kaushikm Great Offer, 84% off
MIME-Version: 1.0
Content-Type: text/html; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
X-Scanned: 4PSA Clean Server on Feb 04 16:42:08

2.
Received: (qmail 20682 invoked from network); 4 Feb 2010 16:20:55 +0530
Received-SPF: pass (plesk01.diadem-tech.com: domain of airbites.ro designates 89.34.241.1 as permitted sender) client-ip=89.34.241.1; envelope-from=zaiecywiou6645@airbites.ro; helo=airbites.ro;
Received: from user2305.bc.airbites.ro (HELO airbites.ro) (89.34.241.1)
by mailer01.diadem-tech.com with (RC4-MD5 encrypted) SMTP; 4 Feb 2010 16:20:53 +0530
From: "VIAGRA (c) Trusted Dealer" <zaiecywiou6645@airbites.ro>
To: kaushikm@adept-software.com
Subject: User kaushikm Great Offer, 84% off
MIME-Version: 1.0
Content-Type: text/html; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
X-Scanned: 4PSA Clean Server on Feb 04 16:20:55

3.
Received: (qmail 16264 invoked from network); 4 Feb 2010 17:23:34 +0530
Received-SPF: pass (plesk01.diadem-tech.com: domain of superkabel.de designates 95.90.196.171 as permitted sender) client-ip=95.90.196.171; envelope-from=juadi7080@superkabel.de; helo=superkabel.de;
Received: from 95-90-196-171-dynip.superkabel.de (HELO superkabel.de) (95.90.196.171)
by mailer01.diadem-tech.com with (RC4-MD5 encrypted) SMTP; 4 Feb 2010 17:23:34 +0530
From: "VIAGRA (c) Trusted Dealer" <juadi7080@superkabel.de>
To: sanjoyd@aptsoftware.com
Subject: User sanjoyd Great Offer, 84% off
MIME-Version: 1.0
Content-Type: text/html; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
X-Scanned: 4PSA Clean Server on Feb 04 17:23:34

4.
Received: (qmail 4059 invoked from network); 3 Feb 2010 22:02:00 +0530
Received-SPF: neutral (plesk01.diadem-tech.com: 80.122.195.70 is neither permitted nor denied by domain of mediaways.net) client-ip=80.122.195.70; envelope-from=exope2440@mediaways.net; helo=mediaWays.net;
Received: from mail.wbg-business.at (HELO mediaWays.net) (80.122.195.70)
by mailer01.diadem-tech.com with (RC4-MD5 encrypted) SMTP; 3 Feb 2010 22:01:59 +0530
From: "VIAGRA (c) Trusted Dealer" <exope2440@mediaWays.net>
To: sanjoyd@aptsoftware.com
Subject: User sanjoyd Great Offer, 84% off
MIME-Version: 1.0
Content-Type: text/html; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
X-Scanned: 4PSA Clean Server on Feb 03 22:02:00

5.
Received: (qmail 20274 invoked from network); 3 Feb 2010 21:27:14 +0530
Received-SPF: pass (plesk01.diadem-tech.com: domain of archi.fr designates 194.199.202.253 as permitted sender) client-ip=194.199.202.253; envelope-from=ogesyw4176@archi.fr; helo=archi.fr;
Received: from anto.versailles.archi.fr (HELO archi.fr) (194.199.202.253)
by mailer01.diadem-tech.com with (RC4-MD5 encrypted) SMTP; 3 Feb 2010 21:27:12 +0530
From: "VIAGRA (c) Trusted Dealer" <ogesyw4176@archi.fr>
To: sanjoyd@aptsoftware.com
Subject: User sanjoyd Great Offer, 84% off
MIME-Version: 1.0
Content-Type: text/html; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
X-Scanned: 4PSA Clean Server on Feb 03 21:27:15

Below are the MagicSpam settings.

Best Practices Policies
Block messages from IP (no domain) Enabled
Block Mail Servers on Dynamic/Dial-up Addresses Disabled
Perform reverse lookup check Disabled
Block Mail Servers reported as Spam Source Enabled
Confirm Server Identification Resolves (HELO) Disabled
Strict address parsing Enabled
Sending server must identify itself (HELO) Enabled
Valid FROM domain Enabled
Server Identification must be valid (HELO) Enabled

IP Reputation
UCEPROTECT-1 Disabled
UCEPROTECT-2 Disabled
UCEPROTECT-3 Disabled
PSBL Enabled
SORBS-DUL Enabled
MIPSPACE Disabled
RATS-DYNA Enabled
RATS-NOPTR Enabled
RATS-SPAM Enabled

Please suggest the best solution.

Regards,
Diadem

Hello Diadem,

The discussion of uncaught spam is normally one that we ask be forwarded to our spam auditing team at spamauditor@linuxmagic.com, however, let us review.

Message #1: This message would have been caught quite handily by the check_dynamic_reverse_dns rule - friendly label: "Block Mail Servers on Dynamic/Dial-up Addresses" which you presently have disabled.

Message #2: the source IP has since been added to PSBL block list as a spam outbreak source. Your lists should be updated now and your server should be protected from that particular spam leak.

Message #3: Again - this message would have been blocked by check_dynamic_reverse_dns

Message #4: the source IP has also been added to PSBL

Message #5: Also added to PSBL

If you do find other patterns of abuse that you feel should be brought to our attention, please forward said messages with full headers intact (forward as attachment) to spamauditor@linuxmagic.com where our auditing team can perform a comprehensive review.

As well, not sure if you saw or not, but we have posted a critical notification regarding recent events with spamassassin (if you use it in conjunction with MagicSpam and 4PSA) at:

http://forums.wizard.ca/viewtopic.php?f=17&t=1415

Hello,

We have enabled "Block Mail Servers on Dynamic/Dial-up Addresses", and also done the changes in spamassassin settings as per the guide line. Let us check will update you.

Thanks & Regards,
Diadem

Hello,

Thank you for the prompt reply. We have enabled the rule "Block Mail Servers on Dynamic/Dial-up Addresses" and also done the changes in spamassassin settings as per your guideline. Let us check, will update you accordingly.

Thanks & Regards,
Diadem

Helllo,

We are still receiving the SPAM mails. Below is mail header.

DomainKey-Status: non-participant from=evygoqygel4559@mtnl.net.in;
domainkeys=fail
Received: from [66.228.124.150] (UIDL=4:UID26243-1208500419) by diadem.co.in (VPOP3) with POP3; Fri, 5 Feb 2010 14:20:43 +0530
Received: (qmail 31229 invoked by uid 110); 5 Feb 2010 14:13:17 +0530
Delivered-To: 114-support@diadem.co.in
Received: (qmail 31215 invoked from network); 5 Feb 2010 14:13:17 +0530
Received-SPF: neutral (plesk01.diadem-tech.com: 75.126.183.6 is neither permitted nor denied by domain of mtnl.net.in) client-ip=75.126.183.6; envelope-from=evygoqygel4559@mtnl.net.in; helo=plesk02.diadem-tech.com;
Received: from mailer02.diadem-tech.com (HELO plesk02.diadem-tech.com) (75.126.183.6)
by mailer01.diadem-tech.com with (DHE-RSA-AES256-SHA encrypted) SMTP; 5 Feb 2010 14:13:17 +0530
Received: (qmail 2858 invoked from network); 5 Feb 2010 14:13:17 +0530
Received-SPF: neutral (plesk02.diadem-tech.com: 120.62.169.74 is neither permitted nor denied by domain of mtnl.net.in) client-ip=120.62.169.74; envelope-from=evygoqygel4559@mtnl.net.in; helo=mtnl.net.in;
Received: from triband-mum-120.62.169.74.mtnl.net.in (HELO mtnl.net.in) (120.62.169.74)
by diadem-tech.com with (RC4-MD5 encrypted) SMTP; 5 Feb 2010 14:13:17 +0530
From: "VIAGRA (c) Direct Distributor" <evygoqygel4559@mtnl.net.in>
To: support@diadem.co.in
Subject: User support Buy on 81% cheaper price
MIME-Version: 1.0
Content-Type: text/html; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
X-Scanned: 4PSA Clean Server on Feb 05 14:13:17
X-Scanned: 4PSA Clean Server on Feb 05 14:13:17

We have also forwarded the mail to spamauditor@linuxmagic.com for your review.

Thanks & Regards,
Diadem

Greetings,

was that last message delivered before or after you enabled the check_dynamic_reverse_dns rule? It should have been stopped by that rule.

One thing that is somewhat odd in this whole message is the number of hops being seen in the message.

Tracing the 'received' headers, the original message came from 120.62.169.74 - which has a reverse DNS matching the check_dynamic_reverse_dns rule. This message was received by server mailer02.diadem-tech.com (75.126.183.6).

It then hops to be received by plesk02.diadem-tech.com. I am assuming your company runs both mailer02 and plesk02 servers? I am assuming that MagicSpam is installed on plesk02? Is it also installed on mailer02?

Is mailer02 a mail relay for your plesk domains? Is your plesk server configured to trust mailer02 as a trusted to relay source? If so, then MagicSpam by design will 'trust' that your level of trust is justified and bypass certain rules as a result.

Please let us know if this is the case.