Recent uptick in spam?

Vernon Schryver vjs@calcite.rhyolite.com
Fri Apr 28 18:52:51 UTC 2006


> From: "Chris Aseltine" 
> Subject: Recent uptick in spam?

I don't see any big recent changes in the DCC graphs at
http://www.rhyolite.com/anti-spam/dcc/graphs/index.cgi?resol=1month
I also don't see big changes in SpamCop's graphs at 
http://www.spamcop.net/spamgraph.shtml?spammonth

> However, since April 17th, I've been seeing about one a day get through both
> DCC and greylisting.  The headers invariably look like this:
>
> =======
> Return-Path: <Fellows.rktr@nbizloan.com>
> Received: from mail.nbizloan.com (mail.nbizloan.com [160.79.37.112])
>  by dakota.newsnation.com (8.13.6/8.13.6) with ESMTP id k3R5keoT020181
>  for <ophidian@newsnation.com>; Thu, 27 Apr 2006 00:46:40 -0500

> the web server hosting the pitch have never been in the SBL-XBL (etc.) that

> Any ideas?  I've clicked through all the unsubscribe links (I've actually
> had luck with the ones that purport to follow CAN-SPAM) but don't expect
> much resolution.

Until they get around to hitting Spamhaus's traps and get added to the
SBL, you might add them to your own blacklist.   A line like the following
should stop them, provide you are running dccproc, dccm, or dccifd
with -Smail_host (see DCCIFD_ARGS in /var/dcc/dcc_conf):

many	substitute mail_host  mail.nbizloan.com


If you are using -SHELO, then judging from samples sent to my traps,
this line should work:

main   substitute helo   nbizloan.com

The samples I see have good (i.e. bad) DCC checksums and so should be
caught by the DCC.  Is there any chance that you've somehow accidentally
whitelisted this spammer?   The dccproc, dccifd, or dccm log files for
the spam should tell the whole story.  I don't see any relevant NANAS
reports, so maybe it is trying to be very careful about its targets.


Vernon Schryver    vjs@rhyolite.com



More information about the DCC mailing list

Contact vjs@rhyolite.com by mail or use the form.