Recent uptick in spam?

Vernon Schryver
Fri Apr 28 18:52:51 UTC 2006

> From: "Chris Aseltine" 
> Subject: Recent uptick in spam?

I don't see any big recent changes in the DCC graphs at
I also don't see big changes in SpamCop's graphs at

> However, since April 17th, I've been seeing about one a day get through both
> DCC and greylisting.  The headers invariably look like this:
> =======
> Return-Path: <>
> Received: from ( [])
>  by (8.13.6/8.13.6) with ESMTP id k3R5keoT020181
>  for <>; Thu, 27 Apr 2006 00:46:40 -0500

> the web server hosting the pitch have never been in the SBL-XBL (etc.) that

> Any ideas?  I've clicked through all the unsubscribe links (I've actually
> had luck with the ones that purport to follow CAN-SPAM) but don't expect
> much resolution.

Until they get around to hitting Spamhaus's traps and get added to the
SBL, you might add them to your own blacklist.   A line like the following
should stop them, provide you are running dccproc, dccm, or dccifd
with -Smail_host (see DCCIFD_ARGS in /var/dcc/dcc_conf):

many	substitute mail_host

If you are using -SHELO, then judging from samples sent to my traps,
this line should work:

main   substitute helo

The samples I see have good (i.e. bad) DCC checksums and so should be
caught by the DCC.  Is there any chance that you've somehow accidentally
whitelisted this spammer?   The dccproc, dccifd, or dccm log files for
the spam should tell the whole story.  I don't see any relevant NANAS
reports, so maybe it is trying to be very careful about its targets.

Vernon Schryver

More information about the DCC mailing list

Contact by mail or use the form.