Unerkannte Spam-Flut

[Carpeventum]

Hallo Zusammen,

seit einigen Tagen sind wir Ziel einer Spam-Flut mit kyrillischen Werbetexten bzw. Werbegrafiken im Anhang. Die Mails werden leider nicht als Spam klassifiziert. Die Absender stehen nicht auf der Whitelist.

Anbei einige aktuelle Header als Beispiele:


Return-Path: <roddenberryd424@bk.ru>
Received: from unsere_domain ([unix socket])
by callisto.unsere_domain.local (Cyrus v2.3.14) with LMTPA;
Wed, 12 Aug 2009 09:56:16 +0200
X-Sieve: CMU Sieve 2.3
Received: from localhost (callisto.unsere_domain.local [127.0.0.1])
by localhost (Postfix) with ESMTP id 8F3931E075
for <empfänger@unsere_domain>; Wed, 12 Aug 2009 09:56:15 +0200 (CEST)
Received: from cube1.unsere_domain (cube1.unsere_domain.local)
by unsere_domain (Postfix) with ESMTP id A11961E073
for <empfänger@unsere_domain>; Wed, 12 Aug 2009 09:56:13 +0200 (CEST)
Received: from [190.241.229.15] (unknown [190.241.229.15])
by cube1.unsere_domain (Postfix) with ESMTP id 15BD2F7E6;
Wed, 12 Aug 2009 09:56:14 +0200 (CEST)
Received: from [132.8.51.126] (account roddenberryd424@bk.ru HELO bzyavoqldwxlh.phoyr.ua)
by (CommuniGate Pro SMTP 5.2.3)
with ESMTPA id 565019920 for empfänger@unsere_domain; Wed, 12 Aug 2009 01:56:12 -0600
Message-ID: <1296065116.VBMBT8HU978779@jarsyyxkbttic.ianhlik.s u>
From: =?koi8-r?B?89TBzsnTzMHXIA==?= <exuma@aol.com>
To: <empfänger@unsere_domain>
Subject: ***SPAM*** =?koi8-r?B?8+/n7OHz7/fh7unlIPDl8uXw7OHu6fLv9+/r?=
Date: Wed, 12 Aug 2009 01:56:12 -0600
MIME-Version: 1.0
Content-Type: text/plain;
charset="koi8-r"
Content-Transfer-Encoding: 8bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.50.4133.2400
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400
X-Virus-Scanned: by Intranator (www.intra2net.com) with AMaViS and F-Secure AntiVirus (fsavdb 2009-08-12_04)
X-Spam-Status: hits=20.8
tests=[BAYES_99=3.5,FORGED_MUA_OUTLOOK=3.116,FROM_EXCESS_ BASE64=1.456,I2N_RAZOR_ADJUST_2=-3,I2N_RAZOR_ADJUST_3=-3,RAZOR2_CF_RANGE_51_100=3.5,RAZOR2_CF_RANGE_E4_51 _100=3.5,RAZOR2_CHECK=3.5,RCVD_IN_BL_SPAMCOP_NET=2 .5,RCVD_IN_CBL=1.5,RCVD_IN_UCEPROTECT1=0.5,RDNS_NO NE=1.5,TVD_SPACE_RATIO=2.219]
X-Spam-Level: 1208






Return-Path: <boyery28@sanyo-machine.co.jp>
Received: from unsere_domain ([unix socket])
by callisto.unsere_domain.local (Cyrus v2.3.14) with LMTPA;
Wed, 12 Aug 2009 05:43:05 +0200
X-Sieve: CMU Sieve 2.3
Received: from localhost (callisto.unsere_domain.local [127.0.0.1])
by localhost (Postfix) with ESMTP id ECD001E073
for <empfänger@unsere_domain>; Wed, 12 Aug 2009 05:43:04 +0200 (CEST)
Received: from callisto.unsere_domain.local (callisto.unsere_domain.local [127.0.0.1])
by unsere_domain (Postfix) with ESMTP id 684C51E06F
for <empfänger@unsere_domain>; Wed, 12 Aug 2009 05:43:01 +0200 (CEST)
Received: from mail.unsere_domain []
by callisto.unsere_domain.local with POP3 (fetchmail-6.3.9)
for <empfänger@unsere_domain> (multi-drop); Wed, 12 Aug 2009 05:43:01 +0200 (CEST)
Received: from ens41fl..de (root@localhost)
by unsere_domain (8.12.11.20060308/8.12.11) with ESMTP id n7C3gDfP028541
for <empfänger@unsere_domain>; Wed, 12 Aug 2009 05:42:19 +0200
Received: from SGZXGOARTV ([123.22.12.101])
by (8.12.11.20060308/8.12.11) with ESMTP id n7C3g0AI028432
for <empfänger@unsere_domain>; Wed, 12 Aug 2009 05:42:06 +0200
X-ClientAddr: 123.22.12.101
X-Envelope-To: <empfänger@unsere_domain>
Received: from 123.22.12.101 by fw.sanyo-machine.co.jp; Wed, 12 Aug 2009 10:41:58 +0700
Message-ID: <000d01ca1afe$d815e790$6400a8c0@boyery28>
From: =?koi8-r?B?88HbwSDzwdfXwdTFxdfJ3g==?= <boyery28@sanyo-machine.co.jp>
To: <empfänger@unsere_domain>
Subject: ***SPAM*** =?koi8-r?B?7sUg1cTBzNHK1MUg3NTPINDJ09jNzw==?=
Date: Wed, 12 Aug 2009 10:41:58 +0700
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0007_01CA1AFE.D815E790"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 4.72.3110.3
X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3
X-Virus-Scanned: ClamAV version 0.93, clamav-milter version 0.93 on 82.140.32.218
X-Virus-Status: Clean
X-Virus-Scanned: by Intranator (www.intra2net.com) with AMaViS and F-Secure AntiVirus (fsavdb 2009-08-11_17)
X-Spam-Status: hits=19.9
tests=[BAYES_80=2,FROM_EXCESS_BASE64=1.456,HTML_FONT_SIZE _LARGE=0.001,HTML_MESSAGE=0.001,I2N_RAZOR_ADJUST_2 =-3,I2N_RAZOR_ADJUST_3=-3,MIME_QP_LONG_LINE=1.396,RAZOR2_CF_RANGE_51_100=3 .5,RAZOR2_CF_RANGE_E4_51_100=3.5,RAZOR2_CHECK=3.5, RCVD_IN_BL_SPAMCOP_NET=2.5,RCVD_IN_CBL=1.5,RCVD_IN _NIX_SPAM=2.5,RCVD_IN_SPAMRATS_NOPTR=0.5,RDNS_NONE =1.5,XMAILER_MIMEOLE_OL_83BF7=2.069]
X-Spam-Level: 1199

[Carpeventum]

Return-Path: <septicemia14@ya.ru>
Received: from unsere_domain ([unix socket])
by callisto.unsere_domain.local (Cyrus v2.3.14) with LMTPA;
Wed, 12 Aug 2009 02:35:29 +0200
X-Sieve: CMU Sieve 2.3
Received: from localhost (callisto.unsere_domain.local [127.0.0.1])
by localhost (Postfix) with ESMTP id 7DA011E073
for <empfänger@unsere_domain>; Wed, 12 Aug 2009 02:35:29 +0200 (CEST)
Received: from cube1.unsere_domain (cube1.unsere_domain.local)
by unsere_domain (Postfix) with ESMTP id E8E5C1E06F
for <empfänger@unsere_domain>; Wed, 12 Aug 2009 02:35:27 +0200 (CEST)
Received: from tpnet.pl (evj137.neoplus.adsl.tpnet.pl [83.20.207.137])
by cube1.unsere_domain (Postfix) with ESMTP id 2863BFA70;
Wed, 12 Aug 2009 02:35:28 +0200 (CEST)
Received: from localhost (tai.ru [127.0.0.1])
by tai.ru (8.14.2/8.14.2) with SMTP id hqdaz219;
Wed, 12 Aug 2009 01:35:27 +0100
(envelope-from wujyc@tai.ru)
To: Bernd <empfänger@unsere_domain>
Subject: ***SPAM*** =?koi8-r?B?8MXSxdPUwc7Y1MUg3snUwdTYLg==?=
X-PHP-Script: tai.ru/index.php
From: =?koi8-r?B?4sXMz9rF0s/XICAgICAgIA==?= <wujyc@tai.ru>
Auto-Submitted: auto-generated
Message-ID: <9128811607.20090812013527@tai.ru>
MIME-Version: 1.0
Content-Type: text/plain; charset="koi8-r"
Content-Transfer-Encoding: 8bit
X-Priority: 3
X-Mailer: PHP machine
Date: Wed, 12 Aug 2009 01:35:27 +0100
X-Virus-Scanned: by Intranator (www.intra2net.com) with AMaViS and F-Secure AntiVirus (fsavdb 2009-08-11_17)
X-Spam-Status: hits=16.5
tests=[BAYES_99=3.5,FROM_EXCESS_BASE64=1.456,I2N_RAZOR_AD JUST_2=-3,I2N_RAZOR_ADJUST_3=-3,RAZOR2_CF_RANGE_51_100=3.5,RAZOR2_CF_RANGE_E4_51 _100=3.5,RAZOR2_CHECK=3.5,RCVD_IN_BL_SPAMCOP_NET=2 .5,RCVD_IN_CBL=1.5,RCVD_IN_NIX_SPAM=2.5,RCVD_IN_UC EPROTECT1=0.5]
X-Spam-Level: 1165






Return-Path: <refitk3@aol.com>
Received: from unsere_domain ([unix socket])
by callisto.unsere_domain.local (Cyrus v2.3.14) with LMTPA;
Tue, 11 Aug 2009 16:32:28 +0200
X-Sieve: CMU Sieve 2.3
Received: from localhost (callisto.unsere_domain.local [127.0.0.1])
by localhost (Postfix) with ESMTP id 583DF1E073
for <empfänger@unsere_domain>; Tue, 11 Aug 2009 16:32:28 +0200 (CEST)
Received: from cube1.unsere_domain (cube1.unsere_domain.local)
by unsere_domain (Postfix) with ESMTP id 85FC01E06F
for <empfänger@unsere_domain>; Tue, 11 Aug 2009 16:32:26 +0200 (CEST)
Received: from [201.59.220.14] (unknown [201.59.220.14])
by cube1.unsere_domain (Postfix) with ESMTP id 685F3F9F8;
Tue, 11 Aug 2009 16:31:41 +0200 (CEST)
Received: from 201.59.220.14 by mailin-02.mx.aol.com; Tue, 11 Aug 2009 11:31:40 -0300
Message-ID: <01ca1a77$4bd28a40$0edc3bc9@refitk3>
From: =?koi8-r?B?98HMxdLJyiDuz9PP1w==?= <refitk3@aol.com>
To: <empfänger@unsere_domain>
Subject: ***SPAM*** =?koi8-r?B?8sHazcXT1MnNIPfB0yDOwSDEz9PLwcggySDGz9LVzcHI?=
Date: Tue, 11 Aug 2009 11:31:40 -0300
MIME-Version: 1.0
Content-Type: text/plain;
charset="koi8-r"
Content-Transfer-Encoding: 8bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.50.4927.1200
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4927.1200
X-Virus-Scanned: by Intranator (www.intra2net.com) with AMaViS and F-Secure AntiVirus (fsavdb 2009-08-11_15)
X-Spam-Status: hits=16.0
tests=[BAYES_95=3,FROM_EXCESS_BASE64=1.456,I2N_RAZOR_ADJU ST_2=-3,I2N_RAZOR_ADJUST_3=-3,RAZOR2_CF_RANGE_51_100=3.5,RAZOR2_CF_RANGE_E4_51 _100=3.5,RAZOR2_CHECK=3.5,RCVD_IN_BL_SPAMCOP_NET=2 .5,RCVD_IN_CBL=1.5,RCVD_IN_SORBS_WEB=0.5,RCVD_IN_U CEPROTECT1=0.5,RCVD_IN_WPBL=0.5,RDNS_NONE=1.5]
X-Spam-Level: 1160

[Carpeventum]

Return-Path: <wilton03@narod.ru>
Received: from unsere_domain ([unix socket])
by callisto.unsere_domain.local (Cyrus v2.3.14) with LMTPA;
Tue, 11 Aug 2009 15:45:05 +0200
X-Sieve: CMU Sieve 2.3
Received: from localhost (callisto.unsere_domain.local [127.0.0.1])
by localhost (Postfix) with ESMTP id BC4201E076
for <empfänger@unsere_domain>; Tue, 11 Aug 2009 15:45:04 +0200 (CEST)
Received: from callisto.unsere_domain.local (callisto.unsere_domain.local [127.0.0.1])
by unsere_domain (Postfix) with ESMTP id 18D5E1E073
for <empfänger@unsere_domain>; Tue, 11 Aug 2009 15:45:03 +0200 (CEST)
Received: from mail.unsere_domain
by callisto.unsere_domain.local with POP3 (fetchmail-6.3.9)
for <empfänger@unsere_domain> (multi-drop); Tue, 11 Aug 2009 15:45:03 +0200 (CEST)
Received: from (root@localhost)
by unsere_domain (8.12.11.20060308/8.12.11) with ESMTP id n7BDi7Jo013888
for <empfänger@unsere_domain>; Tue, 11 Aug 2009 15:44:07 +0200
Received: from FJLCBMQJ ([59.93.113.161])
by (8.12.11.20060308/8.12.11) with ESMTP id n7BDho0s013679
for <empfänger@unsere_domain>; Tue, 11 Aug 2009 15:43:53 +0200
X-ClientAddr: 59.93.113.161
X-Envelope-To: <empfänger@unsere_domain>
Received: from 59.93.113.161 by mx1.yandex.ru; Tue, 11 Aug 2009 19:13:46 +0530
From: "Dixie Maloney" <wilton03@narod.ru>
To: <empfänger@unsere_domain>
Subject: ***SPAM*** =?koi8-r?B?8+z19uLhIPBP/vTv9/noIPLh8/P57E/r?=
Date: Tue, 11 Aug 2009 19:13:46 +0530
Message-ID: <000d01ca1a89$c01bce90$6400a8c0@wilton03>
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0006_01CA1A89.C01BCE90"
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook, Build 10.0.3416
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400
Importance: Normal
X-Virus-Scanned: ClamAV version 0.93, clamav-milter version 0.93 on 82.140.32.218
X-Virus-Status: Clean
X-Virus-Scanned: by Intranator (www.intra2net.com) with AMaViS and F-Secure AntiVirus (fsavdb 2009-08-11_09)
X-Spam-Status: hits=10.7
tests=[BAYES_60=1,HTML_FONT_SIZE_HUGE=0.057,HTML_MESSAGE= 0.001,I2N_RAZOR_ADJUST_2=-3,I2N_RAZOR_ADJUST_3=-3,MIME_QP_LONG_LINE=1.396,OUTLOOK_3416=1.744,RAZOR 2_CF_RANGE_51_100=3.5,RAZOR2_CF_RANGE_E4_51_100=3. 5,RAZOR2_CHECK=3.5,RCVD_IN_SPAMRATS_NOPTR=0.5,RDNS _NONE=1.5]
X-Spam-Level: 1107






Return-Path: <croquettec1@list.ru>
Received: from unsere_domain ([unix socket])
by callisto.unsere_domain.local (Cyrus v2.3.14) with LMTPA;
Tue, 11 Aug 2009 13:45:05 +0200
X-Sieve: CMU Sieve 2.3
Received: from localhost (callisto.unsere_domain.local [127.0.0.1])
by localhost (Postfix) with ESMTP id 80FED1E074
for <empfänger@unsere_domain>; Tue, 11 Aug 2009 13:45:05 +0200 (CEST)
Received: from callisto.unsere_domain.local (callisto.unsere_domain.local [127.0.0.1])
by unsere_domain (Postfix) with ESMTP id 5E6E41E06F
for <empfänger@unsere_domain>; Tue, 11 Aug 2009 13:45:03 +0200 (CEST)
Received: from mail.unsere_domain
by callisto.unsere_domain.local with POP3 (fetchmail-6.3.9)
for <empfänger@unsere_domain> (multi-drop); Tue, 11 Aug 2009 13:45:03 +0200 (CEST)
Received: from (root@localhost)
by unsere_domain (8.12.11.20060308/8.12.11) with ESMTP id n7BBgx7F000535
for <empfänger@unsere_domain>; Tue, 11 Aug 2009 13:42:59 +0200
Received: from GYGLULQRYV ([89.122.143.200])
by (8.12.11.20060308/8.12.11) with ESMTP id n7BBgs8a000501
for <empfänger@unsere_domain>; Tue, 11 Aug 2009 13:42:55 +0200
X-ClientAddr: 89.122.143.200
X-Envelope-To: <empfänger@unsere_domain>
Received: from 89.122.143.200 by mxs.mail.ru; Tue, 11 Aug 2009 06:42:49 -0600
From: "Josue Lopez" <croquettec1@list.ru>
To: <empfänger@unsere_domain>
Subject: ***SPAM*** =?koi8-r?B?9+7p7eHu6eUhIPJBQ0P57Ovp?=
Date: Tue, 11 Aug 2009 06:42:49 -0600
Message-ID: <000d01ca1a78$da51ebc0$6400a8c0@croquettec1>
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0006_01CA1A78.DA51EBC0"
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook, Build 10.0.3416
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1478
Importance: Normal
X-Virus-Scanned: ClamAV version 0.93, clamav-milter version 0.93 on 82.140.32.218
X-Virus-Status: Clean
X-Virus-Scanned: by Intranator (www.intra2net.com) with AMaViS and F-Secure AntiVirus (fsavdb 2009-08-11_08)
X-Spam-Status: hits=18.6
tests=[BAYES_60=1,HTML_FONT_SIZE_LARGE=0.001,HTML_MESSAGE =0.001,I2N_RAZOR_ADJUST_2=-3,I2N_RAZOR_ADJUST_3=-3,MIME_QP_LONG_LINE=1.396,OUTLOOK_3416=1.744,RAZOR 2_CF_RANGE_51_100=3.5,RAZOR2_CF_RANGE_E4_51_100=3. 5,RAZOR2_CHECK=3.5,RCVD_IN_BL_SPAMCOP_NET=2.5,RCVD _IN_CBL=1.5,RCVD_IN_NIX_SPAM=2.5,RCVD_IN_PSBL=0.5, RCVD_IN_SORBS_WEB=0.5,RCVD_IN_SPAMRATS_NOPTR=0.5,R CVD_IN_UCEPROTECT1=0.5,RDNS_NONE=1.5]
X-Spam-Level: 1186

[bjoerns]

Hallo,

also wie ich in den Headern erkennen kann, klassifiziert der Spamfilter die Spam-Emails einwandfrei:

X-Spam-Status: hits=10.7
X-Spam-Status: hits=18.6
X-Spam-Status: hits=16.5
X-Spam-Status: hits=16.0
X-Spam-Status: hits=20.8
X-Spam-Status: hits=19.9

In der Standard Konfiguration ist der Globale Spamfilter deaktiviert und erkannte Spam Emails (Punktewert > 8) werden in den Spamfolder verschoben, Spamverdacht (Punktewert > 5 < 8) wird in den Ordner Spamverdacht verschoben.

Alle geposteten Spam-Emails wurden im Header mit ***SPAM*** markiert.

Ich glaube eher, dass an den Einstellungen wie mit erkanntem Spam verfahren wird, etwas nicht stimmt.

Wenn die Mails von den Clients per IMAP direkt vom Intranator abgeholt werden, empfehlen wir, den Benutzerbasierten Spamfilter zu aktivieren. Wenn Sie einen Exchange o.ä. einsetzten, empfehlen wir, den globalen Spamfilter zu nutzen, der die Mails im Betreff dann entsprechend markiert, wie es hier der Fall ist.

Wie wollen Sie denn filtern?

Nähere Informationen dazu finden Sie unter folgendem Link:

http://www.intra2net.com/de/support/...il-filter-spam

MFG Björn

[Carpeventum]

Hallo,

wups, die falschen Auszüge erwischt - anbei eine Mail von heute früh:


Return-Path: <airheadsl03@hotmail.com>
Received: from callisto.unsere_domain ([unix socket])
by callisto.unsere_domain (Cyrus v2.3.14) with LMTPA;
Thu, 13 Aug 2009 08:08:09 +0200
X-Sieve: CMU Sieve 2.3
Received: from localhost (callisto.unsere_domain [127.0.0.1])
by localhost (Postfix) with ESMTP id 1F93F1E075
for <empfänger@unsere_domain>; Thu, 13 Aug 2009 08:08:09 +0200 (CEST)
Received: from cube1.unsere_domain (cube1.unsere_domain)
by callisto.unsere_domain (Postfix) with ESMTP id 8476B1E06F
for <empfänger@unsere_domain>; Thu, 13 Aug 2009 08:08:08 +0200 (CEST)
Received: from [118.97.34.194] (unknown [118.97.34.194])
by cube1.unsere_domain (Postfix) with ESMTP id CB698FC0C;
Thu, 13 Aug 2009 08:08:08 +0200 (CEST)
Received: from 118.97.34.194 by hm.ua
Date: Thu, 13 Aug 2009 14:08:06 +0800
From: =?koi8-r?B?6d3VINPP1NLVxM7Jy8EgMfM=?= <utu@hm.ua>
X-Mailer: PHP 4.3
Reply-To: apuxa@hm.ua
X-Priority: 3 (Normal)
To: empfänger@unsere_domain
Subject: =?koi8-r?B?8NLFxMzBx8HFzSDSwcLP1NUgxMzRINDSz8fSwc3NydPUz9 cgMfN2OA==?=
MIME-Version: 1.0
Content-Type: text/plain;
charset=koi8-r
Content-Transfer-Encoding: 8bit
X-Virus-Scanned: by Intranator (www.intra2net.com) with AMaViS and F-Secure AntiVirus (fsavdb 2009-08-13_02)
X-Amavis-Alert: BANNED, message contains part: text/plain,.exe
X-Spam-Status: hits=0.0
X-Spam-Level: 1000
Message-Id: <20090813060809.1F93F1E075@callisto.unsere_domai n>


Wir setzen anwenderseitig POP3 ein. Die Schwellwerte stehen auf 5 und 8.

[Thomas Jarosch]

Hallo,

X-Amavis-Alert: BANNED, message contains part: text/plain,.exe
X-Spam-Status: hits=0.0

Laut Anhangfilter enthielt diese Nachricht eine ".exe" Datei. Gesperrte Anhänge und Viren werden nicht auf Spam überprüft. Allerdings ist die Erkennung für .exe Dateien zu scharf eingestellt und hält manchen chinesischen oder koreanischen Spam für eine .exe Datei. Wir werden die Erkennung mit den nächsten Update verbessern. Gerne können wir Ihnen vorab einen Hotfix einspielen.

Herzliche Grüße,
Thomas Jarosch

[Carpeventum]

Hallo Herr Jarosch,

vielen Dank. Wann wird das nächste Update in etwa erscheinen? Aus Erfahrung erfolgt dies doch immer in recht kurzer Folge. Wenn dies bereits absehbar ist, wäre ein Hotfix nicht notwendig.

[Thomas Jarosch]

Hallo,

am 24.08. beginnt die Bauphase des nächsten Updates. Ich denke es wird Anfang September erscheinen.

Herzliche Grüße,
Thomas Jarosch