Results 1 to 3 of 3

Thread: Anyone seeing 'Coffins in Atlanta' spam?

  1. #1
    Join Date
    Jan 2011
    Location
    Youngstown, OH
    Posts
    14
    Rep Power
    4

    Default Anyone seeing 'Coffins in Atlanta' spam?

    I apologize if this is an inappropriate place, but google comes up far too short on this topic.

    We are seeing a ton of email from Return-Path: survivalist@<somedomain.com>
    Always with this pattern Subject: <TRULY SCARY|DISTURBING>: Is FEMA Storing 500,000+ PLASTIC COFFINS Near Atlanta?

    Now, I made some changes to our setup yesterday and after adding these 3 new restrictions:
    Code:
    zimbraMtaRestriction: reject_rbl_client zen.spamhaus.org
    zimbraMtaRestriction: reject_rbl_client dnsbl.sorbs.net
    zimbraMtaRestriction: reject_rbl_client bl.spamcop.net
    and it is catching them:
    Code:
    zen.spamhaus.org             101
    bl.spamcop.net                11
    dnsbl.sorbs.net               10
    sbl.spamhaus.org               4
    =================================
    Total DNSBL rejections:       126
    I added this to /opt/zimbra/conf/salocal.cf.in
    blacklist_from survivalist@

    Last night it hit me as I lay down, I seem to have forgotten the * and today, sure enough, Coffin spam from survivalist@
    So I edited /opt/zimbra/conf/salocal.cf.in added what I hope is correct:
    Code:
    blacklist_from survivalist@* 
    I also stole an example from here on how to create a test rule in /opt/zimbra/conf/spamassassin/20_phrases.cf, so I added
    Code:
    header LOCAL_DEMONSTRATION_SUBJECT Subject =~ /\bcoffins\b/i
    score LOCAL_DEMONSTRATION_RULE 5.0
    describe LOCAL_DEMONSTRATION_RULE This is a simple test rule 
    
    header LOCAL_DEMONSTRATION_SUBJECT Subject =~ /\blasik\b/i
    score LOCAL_DEMONSTRATION_RULE 5.0
    describe LOCAL_DEMONSTRATION_RULE This is a simple test rule
    but I did alter the score from 0.1 to 5.0

    We are not utilizing DSPAM says the log: "No $dspam, not using it"

    I have these references:
    Improving Anti-spam system - Zimbra :: Wiki
    Zimbra_MTA
    Zimbra_MTA#Anti-Spam_Protection
    Zimbra_MTA#Turning_On_or_Off_RBLs
    King0770-Notes-Spam_Info
    CLI_zmtrainsa
    trying-understand-zimbras-anti-spam-system
    ubuntu-804lts-admin-gui-error-rbls-workaround spam-tuning-question-zimbramtarestriction-not-showing-up
    drbcheck
    and of course...
    Zimbra administration_guide

    but today, I will re-read Improving Anti-spam system - Zimbra :: Wiki and am considering DSPAM.

    Thank you all for your time.

    Edit0:
    The headers from an example:
    Code:
    Return-Path: survivalist@jumpmaxathleticgear.com
    Received: from mail.cirrhus9.com (LHLO cirrhus9b.cirrhus9.com)
     (75.101.139.254) by cirrhus9b.cirrhus9.com with LMTP; Wed, 12 Dec 2012
     04:42:25 -0800 (PST)
    Received: from localhost (localhost.localdomain [127.0.0.1])
        by cirrhus9b.cirrhus9.com (Postfix) with ESMTP id 10E8F1095919
        for <mmichalik@cirrhus9.com>; Wed, 12 Dec 2012 04:42:25 -0800 (PST)
    X-Virus-Scanned: amavisd-new at cirrhus9b.cirrhus9.com
    X-Spam-Flag: YES
    X-Spam-Score: 8.146
    X-Spam-Level: ********
    X-Spam-Status: Yes, score=8.146 tagged_above=-10 required=6.6
        tests=[BAYES_99=3.5, FH_DATE_PAST_20XX=3.188, HTML_MESSAGE=0.001,
        MIME_HTML_ONLY=1.457]
    Received: from cirrhus9b.cirrhus9.com ([127.0.0.1])
        by localhost (cirrhus9b.cirrhus9.com [127.0.0.1]) (amavisd-new, port 10024)
        with ESMTP id V+ujVZ07cWX3 for <mmichalik@cirrhus9.com>;
        Wed, 12 Dec 2012 04:42:21 -0800 (PST)
    Received: from links.jumpmaxathleticgear.com (links.jumpmaxathleticgear.com [209.126.229.39])
        by cirrhus9b.cirrhus9.com (Postfix) with ESMTP id 277E31095918
        for <mmichalik@cirrhus9.com>; Wed, 12 Dec 2012 04:42:20 -0800 (PST)
    Date: Wed, 12 Dec 2012 07:40:09 -0500
    To: <mmichalik@cirrhus9.com>
    Subject: TRULY SCARY: Is FEMA Storing 500,000+ PLASTIC COFFINS Near Atlanta?
    Message-ID: <4307694382958591590@links.jumpmaxathleticgear.com>
    Mime-Version: 1.0
    From: "Be Prepared" <survivalist@jumpmaxathleticgear.com>
    Content-Type: text/html; charset=us-ascii
    Content-Transfer-Encoding: 8bit
    Content-Disposition: inline
    Edit1:
    Kill percent: = 75
    Tag percent: = 33
    Last edited by cirrhus9_JJ; 12-12-2012 at 08:45 AM.
    JJ_of_c9

  2. #2
    Join Date
    Oct 2008
    Location
    Dahlonega, Ga
    Posts
    53
    Rep Power
    7

    Default

    I would just do this :

    Code:
    header	S_01	Subject =~ /\Is FEMA Storing 500,000\b/i
    score		S_01	77.0
    describe	S_01	Kill Atlanta SPAM
    You'll never see that one again (unless they change the subject somewhat, then you adjust again too).

  3. #3
    Join Date
    Jan 2011
    Location
    Youngstown, OH
    Posts
    14
    Rep Power
    4

    Default

    n4bbq:

    Boss says spam is down 80% since making these changes.
    If it persists, I will re-edit and apply the snippet you suggested.

    Thank you for your time

    Have a Great Day!
    JJ_of_c9

Similar Threads

  1. Replies: 3
    Last Post: 08-17-2012, 01:01 PM
  2. Replies: 0
    Last Post: 06-20-2012, 01:59 AM
  3. X-Spam-Flag issue- same score < kill but flagged as spam?
    By jameztcc in forum Administrators
    Replies: 6
    Last Post: 06-15-2009, 08:09 PM
  4. Replies: 0
    Last Post: 04-30-2009, 02:59 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •